Cisco site-to-site VPN noNAT in Intranet

renatas.vencevicius · ‎07-19-2011

Hi, I need an answer from a man who really understands how to configure Cisco routers. I have specific problem.

First of all there is no test enviroment, I have two Cisco routers 2811 in production enviroment, so I must be very careful (Routers are constantly working 24/7).

My problem is that I need to configure site to site VPN without NAT between these two routers, but with NAT in the one or the other side For the Internet trafic.

Right now I have site-to-site VPN up and going between two branches but when I am trying to access site (in the other branch) using local ip or (DNS name) I can't because of NAT'ing in the second branch.

Example:

from subnet 10.10.10.0 I am trying reach 10.10.11.211. I can ping it but I can not connect throught browser (80 port). I can reach this site only using public address. So I need to exclude NAT'ing for this site from intranet but leave this site accessable for public users.

If you are willing to help me and have ideas how to fix this I can explain situation in more detail and code.

Jennifer Halim · ‎07-20-2011

If you configure static PAT for 10.10.11.211, then there is no way to bypass/configure noNAT for this IP.

If you configure static NAT for 10.10.11.211, then you can apply route-map at the end of static NAT statement to bypass NAT when the connection is towards 10.10.10.0 network.

Hope this answers your question.

renatas.vencevicius · ‎07-20-2011

maybe If I give to yopu my configuration files you can help me more.

VPN tunnel side 10.103.3.0 (in example 10.10.10.0) from which I try to access (10.103.2.0 sides webpage)

Current configuration : 6206 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco2811

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

enable password termo1010

!

no aaa new-model

clock timezone Riga 2

clock summer-time Riga date Mar 30 2003 3:00 Oct 26 2003 4:00

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.103.3.1

!

ip dhcp pool Kaunakiemio

import all

network 10.103.3.0 255.255.255.0

dns-server 10.103.2.207 195.14.170.xx

default-router 10.103.3.1

!

ip domain name yourdomain.com

ip name-server 10.103.2.207

!

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

crypto pki trustpoint TP-self-signed-3164511441

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3164511441

revocation-check none

rsakeypair TP-self-signed-3164511441

!

crypto pki certificate chain TP-self-signed-3164511441

certificate self-signed 02

30820250 308201B9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33313634 35313134 3431301E 170D3039 31313035 3137323

...

quit

!

username xxxxxxxxx privilege 15 password 0 xxxxxxx

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxx address 195.14.x1.x2

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

set peer 195.14.x1.x2

set transform-set ESP-3DES-SHA1

match address 102

!

interface FastEthernet0/0

description $FW_INSIDE$$ETH-WAN$

ip address 77.241.xx.xx 255.255.xxx.xxx

no ip unreachables

ip mtu 1400

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no keepalive

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 10.103.3.1 255.255.255.0

no ip unreachables

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no ip unreachables

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

ip route 0.0.0.0 0.0.0.0 77.241.xx.xx

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 10.103.3.230 9100 interface FastEthernet0/0 9113

ip nat inside source static tcp 10.103.3.48 9100 interface FastEthernet0/0 9112

ip nat inside source static tcp 10.103.3.22 9100 interface FastEthernet0/0 9110

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

!

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 10.103.3.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.103.3.0 0.0.0.255 10.103.2.0 0.0.0.255 log

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 77.241.xx.xx 0.0.0.3 10.103.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.103.3.0 0.0.0.255 10.103.2.0 0.0.0.255 log

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.103.3.0 0.0.0.255 10.103.2.0 0.0.0.255

access-list 101 permit ip 10.103.3.0 0.0.0.255 any

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.103.3.0 0.0.0.255 10.103.2.0 0.0.0.255 log

access-list 102 remark IPSec Rule

access-list 102 permit ip 77.241.xx.xx 0.0.0.3 10.103.2.0 0.0.0.255

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

scheduler allocate 20000 1000

!

end

######################################################

Main routers config:
routers config in which is that page.

####################################################

Current configuration : 7646 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname nnlt02gw01

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

dot11 syslog

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.103.2.1 10.103.2.60

ip dhcp excluded-address 10.103.2.201 10.103.2.220

ip dhcp excluded-address 10.103.2.222 10.103.2.254

!

ip dhcp pool sdm-pool1

network 10.103.2.0 255.255.255.0

default-router 10.103.2.1

dns-server 10.103.2.207

!

ip dhcp pool thhd

host 10.103.2.221 255.255.255.0

hardware-address 000e.35d6.ba27 ieee802

dns-server 10.103.2.207

!

ip dhcp pool TVMS2

host 10.103.2.56 255.255.255.0

hardware-address 0015.5d0a.0228

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip domain name nordnet.ee

ip name-server 10.103.2.207

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-2855221100

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2855221100

revocation-check none

rsakeypair TP-self-signed-2855221100

!

crypto pki certificate chain TP-self-signed-2855221100

certificate self-signed 01

3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

32313130 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

...

quit

!

username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxx

archive

log config

hidekeys

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address 195.14.xa.xs

crypto isakmp key xxxxxx address 77.241.xc.xv

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec df-bit clear

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to195.14.xa.xs

set peer 195.14.xa.xs

set transform-set ESP-3DES-SHA1

match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to77.24.xc.xv

set peer 77.241.xc.xv

set transform-set ESP-3DES-SHA1

match address 104

!

interface Tunnel1

bandwidth 5120

ip address 10.100.253.10 255.255.255.0

ip mtu 1400

ip nhrp authentication rv02-csc

ip nhrp map 10.100.253.1 77.240.aa.bb

ip nhrp network-id 10202

ip nhrp holdtime 360

ip nhrp nhs 10.100.253.1

ip tcp adjust-mss 1360

delay 1000

tunnel source FastEthernet0/0

tunnel destination 195.14.xa.xs

tunnel key 10202

tunnel path-mtu-discovery

!

interface FastEthernet0/0

description CSC Telecom$ETH-WAN$

ip address 195.14.xx.xx 255.255.255.252

ip mtu 1400

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no keepalive

crypto map SDM_CMAP_1

crypto ipsec df-bit clear

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 10.103.2.1 255.255.255.0

ip mtu 1400

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1200

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

router eigrp 10

network 10.100.253.0 0.0.0.255

network 10.103.2.0 0.0.0.255

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 195.14.dd.cc

ip route 77.240.aa.bb 255.255.255.255 195.14.dd.cc

ip route 195.14.xa.xs 255.255.255.255 195.14.dd.cc

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source static tcp 10.103.2.212 80 interface FastEthernet0/0 80

ip nat inside source static tcp 10.103.2.214 443 interface FastEthernet0/0 443

ip nat inside source static tcp 10.103.2.244 80 interface FastEthernet0/0 5902

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

ip nat inside source static tcp 10.103.2.216 80 195.14.167.150 8080 extendable

!

ip access-list extended ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended GRE

remark SDM_ACL Category=1

permit gre any any

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.103.2.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.103.2.0 0.0.0.255 10.103.1.0 0.0.0.255

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.103.2.0 0.0.0.255 10.103.3.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.103.2.0 0.0.0.255 10.103.1.0 0.0.0.255

access-list 101 permit ip 10.103.2.0 0.0.0.255 any

access-list 101 permit ip 10.103.2.0 0.0.0.255 10.103.1.0 0.0.0.255

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.103.2.0 0.0.0.255 10.103.1.0 0.0.0.255

access-list 103 remark SDM_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.103.2.0 0.0.0.255 10.103.3.0 0.0.0.255

access-list 104 remark SDM_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.103.2.0 0.0.0.255 10.103.3.0 0.0.0.255

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

xxxxxx

!

scheduler allocate 20000 1000

ntp clock-period 17179750

ntp peer 212.47.217.197

!

end

Jennifer Halim · ‎07-20-2011

Unfortunately since it's static PAT instead of static NAT, you can't use the internal IP when accessing it via site-to-site VPN.

renatas.vencevicius · ‎07-20-2011

Is here A way to change it, but also keep public ports open to specified local addresses?

Jennifer Halim · ‎07-21-2011

Do you have a spare public IP that can be used?

If you do, then you can do static NAT instead of static PAT. When we configure static NAT, as advised earlier, you can configure route-map to exempt the traffic from the 2 LAN subnets to be NATed to the public IP.

If you don't have spare public IP, then there is no other way except to use public IP to access it.

renatas.vencevicius · ‎07-21-2011

Unfortunatly we do not have spare public IP. No more Ideas? (routemap, access-list,...)

Jennifer Halim · ‎07-21-2011

Possibly policy based routing to a loopback interface that does not have "ip nat inside" for traffic between the 2 LANs. If it gets routed to an interface that does not have "ip nat inside" then it will not get NATed.

I believe that should work. But I have never tested this before.