cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
10
Helpful
4
Replies

NATed VPN using one interface

Joel Johnson
Level 1
Level 1

Hello,

I'm currently having an issue with a NAT'ed Hairpinned s2s VPN setup. The VPN itself is up and running okay but i don't seem to be able to ping or route past the remote peer. Please see image attached for a quick overview. 

Based on the diagram, from 192.168.100.1 i am able to ping 10.50.13.50 over the VPN tunnel and back but i am unable to ping anything else or further hops such as 10.50.13.2 or 'other subnets'. The rules in place from the 'firewall' are correct and allowing the specified traffic. We can see traffic being returned to 10.50.13.50 from 10.50.13.2 for example during a ping but not any further. 

 

I think the problem lays with how i am trying to NAT or route the traffic in this hairpin type scenario. All the other s2s tunnels i have configured previously have used a dedicated inside and outside interface, so i'm  a bit stuck on this one.   

Thanks for any assistance. 
 

2 Accepted Solutions

Accepted Solutions

Thanks for the reply JP,

After doing some further packet captures i could see traffic bouncing about. 

I managed to come across this great video that helped me fix the issue. Luckily enough it was simple to follow and matched my scenario. Just needed to add a loopback address and route traffic correctly. 

https://www.youtube.com/watch?v=ARg-RYM0tIs

 

View solution in original post

Joel Johnson,

Great news!

Not sure NVI (NAT Virtual Interface) is not working for you, maybe something related to the version you are running on your Router 800, the way you found on that video is also completely valid and as you already said you got it working. I will also share another discussion about this topic where one of my colleagues provided the 2 options available to do nat on stick:
https://community.cisco.com/t5/routing/nat-hairpinning/td-p/2475807

Great job man!

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

4 Replies 4

JP Miranda Z
Cisco Employee
Cisco Employee
Joel Johnson,

I can't really find an error at least on the configuration you are sharing with both of the routers, if i do the same on my lab everything works fine, considering the ASA config is not here the only thing i did to make this as simple as possible was a route for 192.168.100.0/24 pointing to 10.50.13.50 (my firewall is open), so then this traffic gets to the Router the same is hitting the uturn nat and going over the vpn tunnel:

Router#sh ip nat nvi translations
Pro Source global Source local Destin local Destin global
icmp 10.50.13.50:7684 10.50.13.2:7684 192.168.100.1:7684 192.168.100.1:7684

ciscoasa# ping inside 192.168.100.1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/1/10 ms
ciscoasa# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0 inside 10.50.13.2 255.255.255.0

Considering that i will recommend you to take some captures and also a packet tracer to confirm the traffic is flowing fine from the ASA to the Router :
cap <name> interface inside match ip host <other subnets> host 192.168.100.1
packet-tracer input inside icmp <other subnets host> 8 0 192.168.100.1 detail

Also testing you can use the following commands to make sure the traffic is being encrypted or decrypted:
sh cry ipsec sa peer 109.200.100.100

Hope this info helps!!

Rate if helps you!!

-JP-

Thanks for the reply JP,

After doing some further packet captures i could see traffic bouncing about. 

I managed to come across this great video that helped me fix the issue. Luckily enough it was simple to follow and matched my scenario. Just needed to add a loopback address and route traffic correctly. 

https://www.youtube.com/watch?v=ARg-RYM0tIs

 

Joel Johnson,

Great news!

Not sure NVI (NAT Virtual Interface) is not working for you, maybe something related to the version you are running on your Router 800, the way you found on that video is also completely valid and as you already said you got it working. I will also share another discussion about this topic where one of my colleagues provided the 2 options available to do nat on stick:
https://community.cisco.com/t5/routing/nat-hairpinning/td-p/2475807

Great job man!

Hope this info helps!!

Rate if helps you!!

-JP-

Thanks again,

This was one of the original posts i came across when searching, it lead me onto finding the video which gave me a very clear idea of how to implement it in my environment.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: