831 VPN nat and pat

andifur · ‎10-23-2003

I was able to do this with the PIX 6(3).3 but I am having a hard time getting it to work on a router.

Here is what I need to do.

E0(LAN)=192.168.2.0/24

E1(WAN)= x.x.x.x

I need to NAT the 192.168.2.0/24 address to 172.21.2.0/24 only when going through the IPsec tunnel to 172.21.1.0/24. All other traffic must go out as the 192.168.2.0/24.

On the PIX it was simple to do policy nat.

static (inside,outside) 172.21.2.0 access-list VPN

Access-list VPN permit ip 172.21.2.0 255.255.255.0 172.21.1.0 255.255.255.0

Anyone have any ideas, hwo to get this done. I have tried using routemaps, but I am unable to then get the traffic NATed.

Thanks

Anthony

9w.boye · ‎10-24-2003

Hi Anthony,

very interesting. I have not tried it on a router, sorry.

But I have a question to you because not many - I guess - are using policy nat and then putting the natted traffic into ipsec.

It worked in my config too, but I ran into one further problem: I was not able to connect to the pix using its inside IP let's say for ssh or telnet through the vpn-tunnel. I used management-access inside and tried ssh through the vpn-tunnel on "172.21.1.1". I saw a xlate onto "192.168.2.1" (.1 = IP of Pix) but no connection.

If I worked it out without nat, it worked. Do you have a solution?

Hope you apologize my side-question.

William

andifur · ‎10-26-2003

William,

No, I dont have an answer for that. We normally do out of band access to these devices (modem) in case of a failure durning a config change or internet outage.

Just to give you an idea. We have a VPN set between a 3005 and a 501. I am unable to SSH, telnet or PDM to it from the remote side of the tunnel. I am however able to access it from our Corporate firewall. (I allowed that IP to the PIX just incase.) From my understanding, this cant be done from inside the tunnel even with out NATting the traffic. I may be completly wrong though.

gwatts21 · ‎10-29-2003

Route maps are one of the ways this can be achieved.

Basically you define a loopback interface on the router and route VPN traffic via it. For the loopback you apply a "nat inside" to it, for E0 you do not apply a nat command and for E1 you apply "nat outside". Obivously you also need to define the actual NAT translation that will occur via the usual means. eg ip nat inside source .....

Once this is done you apply policy based routing (route maps) to the E0 and E1 interfaces that match the VPN traffic and set the next hop as being via the loopback interface. All other traffic goes directly from E0 to E1.

The following is a good starting point however note it does essentially the opposite of what you want. ie No NAT for the VPN and NAT otherwise. The basic principles however are quite similar. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

9w.boye · ‎11-07-2003

Very interesting solution for the starting problem of this thread!!

William

ccsmith · ‎12-31-2003

I was very glad to find someone else trying to accomplish this. We've been trying to get VPN users into the corporate LAN via a 3005 and then be able to send them and the local networks over a pix-to-pix ipsec vpn to a host at their client's location. We've been able to get it to work, but now that we try to hide everyone at the host (and 3005 vpn clients) behind a pat address towards the client server, we're having trouble getting the pix to pix vpn establish. In the ACL that you are using to define interesting traffic for the VPN do you use the internal address or the policy NAT address? We've tried both and neither seems to work.

Thanks in advance for any advice.

Chris Smith