Re: NAT over ipsec VPN

spacemky · ‎08-25-2009

Hello Cisco Pros,

I have a router with a single internet-routable IP address, and an ipsec VPN connection via a Tunnel0 interface. I'd like to setup NAT through the router such that traffic arriving from anywhere on the Internet on port 80 goes to a different host across the ipsec VPN on port 8080. I've tried a lot of different configuration examples, and can't seem to get it right. Is this at all possible?

I've tried:

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

ip nat inside

interface FastEthernet 1/0

ip address 12.34.56.78 255.255.255.252

ip nat outside

ip nat inside source static tcp 192.168.1.2 8080 12.34.56.78 80

(where 192.168.1.2 is a host across the VPN tunnel, and 12.34.56.78 is the external IP address of F1/0)

Nothing I'm trying is working. Thanks for your suggestions!

yagnesh_tel · ‎08-25-2009

Could you break down your issue using IP addresses? From which interface packets enter and exit?

spacemky · ‎08-25-2009

Sure, packets will enter through the F1/0 interface, and will be destined for 12.34.56.78 (or a similar IP if I cannot use F1/0's address). I'd then like to NAT the traffic using Tunnel0's IP address.

So It works like this:

Internet User --> 12.34.56.78:8080 --> goes through vpn to 192.168.1.2:80.

Hope this makes sense.

yagnesh_tel · ‎08-25-2009

What is the source address of tunnel0? Are you are sourcing tunnel from f1/0?

spacemky · ‎08-26-2009

Yes, I am sourcing it from F1/0:

I can change where traffic is sourced from, if necessary. I just need Internet users to be NAT'ted over the IPsec VPN tunnel somehow.... Thanks!

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

ip nat inside

ip virtual-reassembly

tunnel source 12.34.56.78

tunnel destination 23.45.67.89

tunnel mode ipsec ipv4

tunnel protection ipsec profile P1

yagnesh_tel · ‎08-26-2009

I think that's the reason why it's not working right now. Here 'ip nat inside' and 'ip nat outside' are virtually present on the same physical interface f1/0.

Is it possible for you to use Tunnel source as interface other than f1/0?

spacemky · ‎08-26-2009

Sure, I also have a F1/1 interface I could use. Let me try that and see if it fixes anything. Thanks for your replies!

spacemky · ‎08-27-2009

I have a host on the other side of the VPN tunnel. I do not want this host to see the true source of the outside global host. No matter how I set up NAT, the outside global's source IP always comes through to my inside local host.

How (using NAT), can I have traffic from an Internet host flow through the router, so that my inside host only sees an IP request coming from the router?

Thanks!