cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
0
Helpful
3
Replies

NAT an entire subnet for VPN traffic

Hi

We have a Cisco 892 router with a working IPSEC VPN.

 

One of the internal networks overlaps another network at the other end of the VPN, so we are asked to NAT all traffic from it to another internal network:

 

LOCAL1  (the one that overlaps):  192.168.1.0/24 

LOCAL2  (the one allowed for VPN traffic):  192.168.2.0/24

 

The idea is that a connection form 192.168.1.X would be natted to IP 192.168.2.X before it's being sent through the VPN.

 

There are no clients in the LOCAL2 network. A single IP (192.168.2.1) is configured in the router to be able to test connectivity from the LOCAL2 network to the VPN. 

 

I have tried many different approaches to get this done without success. Any suggestions?

 

 

Relevant config:

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group 160 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!

!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname i2c@euskalcm
ppp chap password 0  XXXXXXXXX
no cdp enable
crypto map IPSEC-LIN3s-TO-ALDI-VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.100 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.100 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.50 2222 interface Dialer0 2222
ip nat inside source static udp 192.168.1.50 2222 interface Dialer0 2222
ip route 0.0.0.0 0.0.0.0 Dialer0

!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.2.0 0.0.0.255 10.6.232.96 0.0.0.31
permit ip 192.168.2.0 0.0.0.255 host 10.6.211.231
permit ip 192.168.20.0 0.0.0.255 10.6.232.96 0.0.0.31
permit ip 192.168.20.0 0.0.0.255 host 10.6.211.231
permit ip 192.168.2.0 0.0.0.255 10.6.39.0 0.0.0.15
permit ip 192.168.20.0 0.0.0.255 10.6.39.0 0.0.0.15
permit ip 192.168.2.0 0.0.0.255 10.6.202.0 0.0.0.15
permit ip 192.168.20.0 0.0.0.255 10.6.202.0 0.0.0.15
permit ip 192.168.2.0 0.0.0.255 10.6.232.32 0.0.0.15
permit ip 192.168.20.0 0.0.0.255 10.6.232.32 0.0.0.15
permit ip 192.168.2.0 0.0.0.255 10.6.22.128 0.0.0.31
permit ip 192.168.20.0 0.0.0.255 10.6.22.128 0.0.0.31
permit ip 192.168.2.0 0.0.0.255 10.6.210.128 0.0.0.63
permit ip 192.168.20.0 0.0.0.255 10.6.210.128 0.0.0.63
permit ip 192.168.2.0 0.0.0.255 10.6.35.0 0.0.0.63
permit ip 192.168.20.0 0.0.0.255 10.6.35.0 0.0.0.63
!

access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.232.96 0.0.0.31
access-list 100 deny ip 192.168.2.0 0.0.0.255 host 10.6.211.231
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.232.96 0.0.0.31
access-list 100 deny ip 192.168.20.0 0.0.0.255 host 10.6.211.231
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.39.0 0.0.0.15
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.202.0 0.0.0.15
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.39.0 0.0.0.15
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.202.0 0.0.0.15
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.232.32 0.0.0.15
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.22.128 0.0.0.31
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.232.32 0.0.0.15
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.22.128 0.0.0.31
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.210.128 0.0.0.63
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.35.0 0.0.0.63
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.210.128 0.0.0.63
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.35.0 0.0.0.63
access-list 100 deny ip 192.168.2.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.6.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.21.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.255.255 any

 

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni
Hi

First question. Your local subnet overlaps with the remote end subnet. Will they also nat in their end?

You don't need the vlan 2 interface and you can remove it.

Here the command how to nat your network to another subnet:

ip nat inside source static network 192.168.1.0 192.168.2.0 /24

On your crypto acl, you're using 192.168.20.0/24 but i don't see any networks like this in the config snippet you shared.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I had already tried using

 

ip nat inside source static network 192.168.1.0 192.168.2.0 /24

 

The VPN traffic worked fine, but internet access was lost. I guess it was a matter of this nat rule not being compatible with  

 

ip nat inside source list 100 interface Dialer0 overload

 

I could resolve the issue by doing (probably not all them are needed):

 

1.- Denying traffic from 192.168.1.X in the general internect access list

access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.6.232.96 0.0.0.31
access-list 100 deny   ip 192.168.1.0 0.0.0.255 host 10.6.211.231
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.6.39.0 0.0.0.15
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.6.202.0 0.0.0.15
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.6.232.32 0.0.0.15
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.6.22.128 0.0.0.31
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.6.210.128 0.0.0.63
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.6.35.0 0.0.0.63

 

2.-Creating an specific acces list for the traffic that has to be natted:

 

ip access-list extended VPN-TRAFFIC-TO_NAT
 permit ip 192.168.1.0 0.0.0.255 10.6.232.96 0.0.0.31
 permit ip 192.168.1.0 0.0.0.255 host 10.6.211.231
 permit ip 192.168.1.0 0.0.0.255 10.6.39.0 0.0.0.15
 permit ip 192.168.1.0 0.0.0.255 10.6.202.0 0.0.0.15
 permit ip 192.168.1.0 0.0.0.255 10.6.232.32 0.0.0.15
 permit ip 192.168.1.0 0.0.0.255 10.6.22.128 0.0.0.31
 permit ip 192.168.1.0 0.0.0.255 10.6.210.128 0.0.0.63
 permit ip 192.168.1.0 0.0.0.255 10.6.35.0 0.0.0.63
 deny   ip 192.168.1.0 0.0.0.255 any

 

3.- Creating an IP pool to use for nat:

ip nat pool VPN-TRAFFIC-TO_NAT-POOL 192.168.2.2 192.168.2.254 prefix-length 24

 

4.- Applying nat just to the acl:

 

ip nat inside source list VPN-TRAFFIC-TO_NAT pool VPN-TRAFFIC-TO_NAT-POOL overload

 

I am still waiting for confirmation from the client that this config works, but all my tests from the router were successful

Yes you're right, i focused only on the vpn without checking the existing Internet nat.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: