cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

273
Views
0
Helpful
1
Replies
Highlighted

NAT a VPN client on an Cisco Router to inside IP Address

I have a network where I need to managed an IPS on an ASA through a VPN client terminated on an “out of band” router

The issue I am having is that the IPS module will not route to the VPN client IP so I think I need to appear on the same subnet.

I have tried using an IP nat pool using the config below:-

On vlan 1 and dialer 1 interfaces

ip nat enable

access-list 1 permit 172.16.1.0 0.0.0.255  !-> the vpn client pool

ip nat pool MYPOOL 10.201.97 100 201.97. 110 prefix length 24  add route

                                          ^ inside address

ip nat source list 1 pool MYPOOL

But this does not appear to work

Any ideas on the best way to achieve this?

Everyone's tags (2)
1 REPLY 1
Cisco Employee

Re: NAT a VPN client on an Cisco Router to inside IP Address

Hey,

 

I hope it's not too late to put some light on this question. Unfortunately, it's not possible to do NAT overload from outside-->inside with traditional NAT configuration (ip nat outside source list x interface x/y overload).

BUT there are 2 separate workarounds -  for IOS and IOS-XE.

 

1) For IOS >> you need nat NVI

- in this case we don't have ip nat inside/outside but the nat will distinguish the direction of the flow which gives the possibility to overload specific inside interface out-->in

 

                           G0/1.1   .1 |-------2.2.2.0/24
1.1.1.100----/outside/-R1- inside
                           G0/1.2   .1 |-------3.3.3.0/24

 

interface GigabitEthernet0/0
description outside interface
ip address 1.1.1.2 255.255.255.0
ip nat enable

 

interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 2.2.2.1 255.255.255.0
ip nat enable

 

interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 3.3.3.1 255.255.255.0
ip nat enable

 

ip access-list extended test-nat-1
access-list 101 permit ip 1.1.1.0 0.0.0.255 any
 
route-map nat-2 permit 10
match ip address 101
match interface GigabitEthernet0/1.2

route-map nat-1 permit 10
match ip address 101
match interface GigabitEthernet0/1.1
 
ip nat source route-map nat-1 interface GigabitEthernet0/1.1 overload
ip nat source route-map nat-2 interface GigabitEthernet0/1.2 overload
 
In this case hosts coming from the VPN on the outside interface (1.1.1.100) will be translated to the IP address configured on the LAN interfaces.
 
2) IOS-XE >> it's quite complicated here since IOS-XE does not support NVI, so we cannot overload out-->in (i.e. do ip nat outside source list 101 interface x/y overload)
 
- you would need to create a GRE tunnel with one leg in global-routing-table and other leg in VRF, over which the traffic will be re-routed >> this way we will tackle the router the traffic is in-->out.
 
Traffic flow: outside - G0/0 --> Tunnel 0 --> inside G0/1.1 / G0/1.2
 

!----CREATE VRF------!

ip vrf nat


!-----ASSIGN LAN INTERFACES TO VRF-NAT AND ADD THEM TO NAT OUTSIDE -------!

interface GigabithEthernet0/1.1
ip vrf forwarding nat
encapsulation dot1Q 1 native
ip address 2.2.2.1 255.255.255.0
ip nat outside
!
interface GigabithEthernet0/1.2
ip vrf forwarding nat
encapsulation dot1Q 2
ip address 3.3.3.1 255.255.255.0
ip nat outside


!--------------------- TUNNEL CONFIGURATION -----------------!

interface lo1
description source for Tunnel0_GRT
ip add 10.0.0.1 255.255.255.255

interface lo2
description source for Tunnel1_VRF_NAT
ip add 10.0.0.2 255.255.255.255

interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source loopback1
tunnel destination 10.0.0.2

interface Tunnel1
ip vrf forwarding nat
ip address 172.16.0.2 255.255.255.252
ip nat inside
tunnel source loopback2
tunnel destination 10.0.0.1


!---------- ADD ROUTING BETWEEN THE GRT<--->VRF-NAT -----------!

ip route 2.2.2.0 255.255.255.0 Tunnel0 172.16.0.2
ip route 3.3.3.0 255.255.255.0 Tunnel0 172.16.0.2

ip route vrf a 0.0.0.0 0.0.0.0 Tunnel1 172.16.0.1


! ---------------------- NAT-CONFIGURATION -------------------- !

!
access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 102 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255
!
route-map nat-1 permit 10
match ip address 101
match interface GigabithEthernet0/1.1

route-map nat-2 permit 10
match ip address 102
match interface GigabithEthernet0/1.2

ip nat inside source route-map nat-1 interface GigabithEthernet0/1.1 vrf a overload
ip nat inside source route-map nat-2 interface GigabithEthernet0/1.1 vrf a overload

!--------------------------------------------------------------------!

 

Kudos to Anton Izov CCIE# 60094

CreatePlease to create content
Content for Community-Ad