Solved: thank you so much...it works!

edilson.silva1 · ‎06-08-2017

Hi folks,

I need to do a DNAT and then send traffic to a Site-to-Site VPN IPSEC.
The VPN tunnel is Okay (Phase one and two), but now i need to do the DNAT on router "Router-001". How can I do it?

Attached document

VPN configuration:

crypto isakmp key *********** (IP Peer Client)

crypto map cedro-crypto 250 ipsec-isakmp
description VPN RENA
set peer (IP Peer Client)
set security-association lifetime seconds 86400
set transform-set 3des-sha
match address vpn_renascenca_bkp

crypto isakmp policy 260
encr 3des
authentication pre-share
group 2

Extended IP access list vpn_renascenca_bkp
10 permit ip 10.254.9.0 0.0.0.255 10.3.4.32 0.0.0.31

INTERNAL ROUTER INTERFACE:

interface FastEthernet0/0.200
description LINK REDE CIRCUITOS (VLAN 200)
encapsulation dot1Q 200
ip address 10.154.4.77 255.255.255.192
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
end

EXTERNAL ROUTER INTERFACE:

interface FastEthernet0/1
ip address 200.200.19.5 255.255.255.128
speed 100
full-duplex
no cdp enable
crypto map cedro-crypto
end

Francesco Molino · ‎06-08-2017

Hi

To achieve this task (if I understood correctly), you'll need to use ip nat outside command.

Let's recap:

- real IP of your server: 10.3.4.33

- local IP of your server: 192.168.231.1

we assume that route isn't existing for your local server IP.

The command would be:

ip nat outside source static 10.3.4.33 192.168.231.1 add-route

Then from internal, if you reach your local IP 192.168.231.1, the traffic will be redirected to 10.3.4.33

I assume that your internal interface and external have already the command ip nat inside and outside.

Some outputs I already past on this forum for same question.

- my real srv ip: 8.8.8.8

- my local srv ip: 1.1.1.1

I've the design below:

R1 --- R2 --- R3

On R2 inside:

interface g0/0

ip nat inside

On R2 outside:

interface g0/1

ip nat outside

Globally:

ip nat outside source static 8.8.8.8 1.1.1.1 add-route

Then I ping from R1 to 1.1.1.1:

R1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!

And debug ip icmp on R3:

*Jun 8 23:59:23.062: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.063: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.065: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.066: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.071: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0

Thanks

PS: Please don't forget to rate and mark as correct answer.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-08-2017

Hi

To achieve this task (if I understood correctly), you'll need to use ip nat outside command.

Let's recap:

- real IP of your server: 10.3.4.33

- local IP of your server: 192.168.231.1

we assume that route isn't existing for your local server IP.

The command would be:

ip nat outside source static 10.3.4.33 192.168.231.1 add-route

Then from internal, if you reach your local IP 192.168.231.1, the traffic will be redirected to 10.3.4.33

I assume that your internal interface and external have already the command ip nat inside and outside.

Some outputs I already past on this forum for same question.

- my real srv ip: 8.8.8.8

- my local srv ip: 1.1.1.1

I've the design below:

R1 --- R2 --- R3

On R2 inside:

interface g0/0

ip nat inside

On R2 outside:

interface g0/1

ip nat outside

Globally:

ip nat outside source static 8.8.8.8 1.1.1.1 add-route

Then I ping from R1 to 1.1.1.1:

R1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!

And debug ip icmp on R3:

*Jun 8 23:59:23.062: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.063: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.065: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.066: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.071: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0

Thanks

PS: Please don't forget to rate and mark as correct answer.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

edilson.silva1 · ‎06-09-2017

thank you so much...it works!

Francesco Molino · ‎06-09-2017

you're very welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

VPN + DNAT