cisco ios: nat to internet then static nat then ipsec s2s

Peter Handke · ‎10-02-2012

Hello

I try to figure out my problem, i need:

1. nat for internet connection for my LAN: 192.168.2.0/24

2. static nat - because of subnet overlaping in ipsec

192.168.2.99 <-> 192.168.12.99 or whole subnet 192.168.2.0/24 <-> 192.168.12.0/24

3. ipsec s2s between 192.168.12.0/24 (after static nat) and 10.172.145.11/32

I try few configs, ipsec is working but i can't reach internet from host ie 192.168.2.99, what is wrong ?

my last config:

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

set security-association lifetime seconds 86400

set transform-set IPSEC

match address 100

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static 192.168.2.99 192.168.12.99 route-map no-static-nat

ip nat inside source static network 192.168.2.0 192.168.12.0 /24

access-list 100 permit ip 192.168.12.0 0.0.0.255 host 10.172.145.11

access-list 101 deny ip 192.168.2.0 0.0.0.255 host 10.172.145.11

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 111 deny ip 192.168.2.0 0.0.0.255 host 10.172.145.11

access-list 111 permit ip 192.168.2.0 0.0.0.255 any

route-map no-static-nat permit 10

match ip address 111

thanks for help or clue

Harish Balakrishnan · ‎10-03-2012

Hello Peter,

Can you remove the below entry and have a test

ip nat inside source static 192.168.2.99 192.168.12.99 route-map no-static-nat

I think this is not really required since you have

ip nat inside source static network 192.168.2.0 192.168.12.0 /24 iin place it does the same

regards

Harish.

Peter Handke · ‎10-03-2012

As you suggested i removed this line and nothing changed, hosts via ipsec are accessible, internet don't

#ping 10.172.145.11 source 192.168.2.253

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/40 ms

ping 8.8.8.8 source 192.168.2.253

Success rate is 0 percent (0/5)

#sh ip nat translations | include 192.168.12.253

icmp 192.168.12.253:29 192.168.2.253:29 8.8.8.8:29 8.8.8.8:29

--- 192.168.12.253 192.168.2.253 --- ---

Harish Balakrishnan · ‎10-03-2012

Hello Peter,

Can you try from a PC under the router. Because if you try from your router with a source doenst go through NAT rules and you wont be able to ping internet

regards

Harish.

Please rate helpful posts!

Peter Handke · ‎10-03-2012

confirmed. Internet doesn't work from pc inside my LAN..

Harish Balakrishnan · ‎10-03-2012

Hello Peter,

Please do the following

no ip nat inside source static network 192.168.2.0 192.168.12.0 /24

access-list 112 permit ip 192.168.2.0 0.0.0.255 host 10.172.145.11

route-map natpolicy permit 10

match ip address 112

ip nat inside source static 192.168.2.0 192.168.12.0 route-map natpolicy

regards

Harish

Peter Handke · ‎10-03-2012

Internet still doesn't work, ipsec is ok. It's very strange imho it should work

however, big thanks Harish for help

regards

Peter

rfera · ‎10-04-2012

Hi Peter,

FWIW I have been trying myself to solve this exact same problem for a few years now without success. ASA's can do it (via policy static network nat), but apparently IOS can't. Several weeks ago I posted the question on this forum and, after many back-and-forth replies, still do not have a solution (or an answer to why my latest attempt didn't work). Here is a link to my thread and some of the things I have tried: https://supportforums.cisco.com/thread/2172082

So, if you manage to find an answer, I'd love to hear it! :-)

Good luck,

Bob