11-07-2014 04:18 PM - edited 03-07-2019 09:25 PM
Hello,
I am trying to configure PAT from an internal network to an external network, but the translated source IP address must be one from a loopback interface (not from the actual outside interface).
The network looks like this: https://i.imgur.com/A8SuQec.png
PC1 and PC2 need to have access to Internet, to each other (through IPsec tunnel) and to PC3 (through IPIP/IPsec transport). PC3 will not initiate connections to PC1 nor to PC2.
R1 only advertises 172.16.0.0/24 and 10.0.0.0/30 to R3. R1 does NOT advertise 192.168.x.x to R3. That cannot be changed, that is why I need to change the source IP address from 192.168.x.x to 172.16.0.x before sending packets to PC3.
IPsec and routing is working correctly:
- PC1 and PC2 can communicate through IPsec
- Tunnel and BGP session between R1 and R3 are up, routes are exchanged as expected
- R1 can ping PC3 with source address 172.16.0.1
However, when I ping PC3 from PC1 or PC2, I see packets coming with source address = 192.168.0.2 or 192.168.1.2 .
Is there a way to do this ?
Solved! Go to Solution.
11-09-2014 08:16 PM
You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:
ip access-list extended ACL_NAT permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255 ! ip nat inside source list ACL_NAT interface Loopback0 overload
Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.
Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.
11-09-2014 08:16 PM
You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:
ip access-list extended ACL_NAT permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255 ! ip nat inside source list ACL_NAT interface Loopback0 overload
Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.
Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.
11-10-2014 01:13 PM
Thanks, I found a mistake in my configuration: I had put "ip nat outside" on the loopback interface instead of the tunnel interface.
Thanks!
11-10-2014 01:29 PM
Normally, the "ip nat outside" statement goes on the outbound interface for the traffic. I've never needed it on a loopback, but if it's working, cool!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide