04-05-2020 01:54 PM - edited 04-05-2020 01:55 PM
Hello everyone.
During COVID-19 VPN madness, I'm stuck with EasyVPN for one customer and can't figure out how to solve overlapping subnet problem.
They have Cisco 2801(SEC/K9) and I've configured split tunnel with Cisco VPN Client software for remote users. I know this software is unsupported for quite some time already, but it still works fine and is the only option at this moment. My concern is, that their local network 192.168.1.0/24 may overlap with a lot of remote users' consumer network devices, as they're often configured with the very same subnet for their LAN segments as well.
We can't change LAN addressing so I'm trying to implement some sort of static NAT 1:1 network mapping to send fake network route to users and then NAT their incoming traffic to real one. Generic static NAT statement works, but it also ruins PAT/overload for internet (static mapping translation is used for internet heading traffic as well). Is there any possibility to make some sort of conditional static network mapping based on source IP or L3 interface, or maybe EasyVPN has some built-in solution for that?
I know route-maps can be added in static NAT host to host mapping, but it's not available for ip nat inside source static network command.
Here is the relevant configuration, it is very straight forward anyway:
interface Loopback1 description LO FOR VPN ip address 10.10.90.1 255.255.255.0 ! interface Virtual-Template5 type tunnel description VPN L3 TERMINATOR ip unnumbered Loopback1 ip nat inside tunnel mode ipsec ipv4 tunnel protection ipsec profile VTI ! ip local pool IPSEC_VPN_POOL 10.10.90.2 10.10.90.254 ! ip access-list extended IPSEC_VPN_INSERT_ROUTE permit ip 192.168.1.0 0.0.0.255 any ! interface FastEthernet0/1 description USER LAN ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface FastEthernet0/0 description INTERNET ip address 198.51.100.26 255.255.255.252 ip nat outside ! ip access-list extended NAT permit ip 192.168.1.0 0.0.0.255 any ! route-map NAT permit 10 match ip address NAT match interface FastEthernet0/0 ! ip nat inside source route-map NAT interface FastEthernet0/0 overload
Solved! Go to Solution.
04-06-2020 05:02 AM
Hi,
How many IP addresses/hosts from the 192.168.1.0/24 subnet actually need to be reachable by the VPN users, thus need to be translated? I you don't configure a route-map (policy static NAT) to your static NAT config in order to specify for which destinations this NAT is usable, the static NAT exists in the NAT table and it's usable for all destinations and thus will always override the overload configuration, so you'll never be able to access the Internet.
You would need to configure a one-to-one mapping for each host which needs to be reachable by the VPN users, and attach a route-map to that. Config will be like:
ip access-list extended NAT_FOR_VPN
permit ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255
!
route-map NAT_FOR_VPN
match ip address NAT_FOR_VPN
!
ip access-list extended NAT_FOR_INTERNET
deny ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT_FOR_INTERNET
match ip address NAT_FOR_INTERNET
!
ip nat inside source static 192.168.1.100 192.168.43.100 route-map NAT_FOR_VPN reversible
ip nat inside source static 192.168.1.120 192.168.43.120 route-map NAT_FOR_VPN reversible
ip nat inside source static 192.168.1.150 192.168.43.150 route-map NAT_FOR_VPN reversible
ip nat inside source static 192.168.1.190 192.168.43.190 route-map NAT_FOR_VPN reversible
!
ip nat inside source route-map NAT_FOR_INTERNET interface FastEthernet0/0 overload
Regards,
Cristian Matei.
04-06-2020 03:13 AM
!
crypto isakmp client configuration group EZVPN
...
acl EZVPN_ACL
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
### This interface loopback1 and address for NAT ###
!
interface Loopback1
ip address 10.10.10.10 255.255.255.255
ip nat outside
!
interface FastEthernet0/0
ip address 198.51.100.26 255.255.255.252
ip nat outside
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ...
!
ip local pool EZVPN 10.10.90.1 10.10.90.100
!
### You can use inside IP address whatever you want and insert static nat how many you want, this one for example ###
!
ip nat inside source static tcp 192.168.1.100 80 interface Loopback1 8080
!
### This acl for accessing your inside network thru NAT ###
!
ip access-list extended EZVPN_ACL
permit ip host 10.10.10.10 any
!
end
04-06-2020 03:43 AM
Hello, thanks for the reply.
Your provided configuration is forwarding ports, while I need static NAT mapping 1:1 for whole /24. For example I can send fake subnet 192.168.43.0/24 to remote users (so it does not overlap with their LAN) and then map it to real 192.168.1.0/24 via ip nat inside source static network 192.168.1.0 192.168.43.0 255.255.255.0. This actually works, translations are created and users are able to access devices, but at the same time PAT (overload on their WAN interface) stops working. Instead of overloading traffic destined to Internet, router uses static 1:1 translation for that as well. Naturally ISP drops traffic sourced from 192.168.43.0/24 and Internet in their office dies.
04-06-2020 04:12 AM
Hi,
I sent you static nat as example, actually you can use 1:1 like this:
ip nat source static 192.168.1.1 10.10.10.10 or interface loopback1 (this will map all traffic, not specific port)
if you want to use whole network for nat, this is not static nat this is dynamic nat.
if you sending to remote network private ip addressing different from their internal network, this traffic cant be routed thru their network or natted. its impossible. route for this traffic only thru tunnel.
04-06-2020 05:02 AM
Hi,
How many IP addresses/hosts from the 192.168.1.0/24 subnet actually need to be reachable by the VPN users, thus need to be translated? I you don't configure a route-map (policy static NAT) to your static NAT config in order to specify for which destinations this NAT is usable, the static NAT exists in the NAT table and it's usable for all destinations and thus will always override the overload configuration, so you'll never be able to access the Internet.
You would need to configure a one-to-one mapping for each host which needs to be reachable by the VPN users, and attach a route-map to that. Config will be like:
ip access-list extended NAT_FOR_VPN
permit ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255
!
route-map NAT_FOR_VPN
match ip address NAT_FOR_VPN
!
ip access-list extended NAT_FOR_INTERNET
deny ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT_FOR_INTERNET
match ip address NAT_FOR_INTERNET
!
ip nat inside source static 192.168.1.100 192.168.43.100 route-map NAT_FOR_VPN reversible
ip nat inside source static 192.168.1.120 192.168.43.120 route-map NAT_FOR_VPN reversible
ip nat inside source static 192.168.1.150 192.168.43.150 route-map NAT_FOR_VPN reversible
ip nat inside source static 192.168.1.190 192.168.43.190 route-map NAT_FOR_VPN reversible
!
ip nat inside source route-map NAT_FOR_INTERNET interface FastEthernet0/0 overload
Regards,
Cristian Matei.
04-06-2020 09:21 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide