02-29-2012 02:39 AM - edited 03-07-2019 05:15 AM
How we can configure router to work per next request:
when users from LAN want to contact Central site they have to pass through NAT and go out with loopback address which shoud go to tunnel.
when user want go to Internet they bypass NAT with loopback address and go out to outside with outside address
03-04-2012 10:45 PM
Quite an interesting issue !
Suppose your LAN is 10.10.10.x and your central site is 20.20.20.x
Let's attack NAT first. I will make it simplier putting the ip address from the loopback interface in a "NAT pool". Also we need to make the router aware that for different destinations you need different NATs.
int g1/0 description LAN ip nat inside int loopback 0 ip address 1.1.1.1 255.255.255.0 int g2/0 description INTERNET ip nat outside ip nat pool LOOPBACK-POOL 1.1.1.1 1.1.1.1 netmask 255.255.255.0 ip nat inside source list INTERNET interface g2/0 overload ip nat inside source list CENTRALSITE pool LOOPBACK-POOL overload ip access-list extended INTERNET deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 any deny ip any any ip access-list extended CENTRALSITE permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 deny ip any any |
Now we will attack the VPN issue. NAT generally messes up traditional ACL-based VPNs so I will choose route-based VPN. To do that I will need to create a tunnel interface and make sure to route through the tunnel interface. Also we need configure "ip nat outside" in tunnel interface so we can mix VPN and NAT altogheter. The following is the partial configuration of the VPN.
ip route 20.20.20.0 0.0.0.255 tunnel 0 int tunnel 0 ip nat outside tunnel mode ipsec ipv4 tunnel protection ipsec profile Routed_VPN |
I'm making these config from the top of my head, I didn't have time to prove it so hopefully it' s OK. If you give more information about your topology I could make a lab. Also if you need more info about routed-based vpns you could read this http://packetlife.net/blog/2011/aug/17/policy-based-vs-route-based-vpns-part-2/
Please rate if it helps. Kind regards
03-04-2012 11:48 PM
Hi Eduardo,
(I'm hope I've written correct).
We didn't have time to test your solution. Because of importance of the problem we had to find solution. In anyway thank you for your time. If you want I can post the config of our solution.
04-19-2012 03:11 AM
Eduardo, I had almost the same task and your solution works.
Actually, if you use loopback-pool there is no need in loopback interface itself.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide