cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1907
Views
5
Helpful
5
Replies

EasyVPN remote access - overlapping subnets

Flanger23
Level 1
Level 1

Hello everyone.

During COVID-19 VPN madness, I'm stuck with EasyVPN for one customer and can't figure out how to solve overlapping subnet problem.

They have Cisco 2801(SEC/K9) and I've configured split tunnel with Cisco VPN Client software for remote users. I know this software is unsupported for quite some time already, but it still works fine and is the only option at this moment. My concern is, that their local network 192.168.1.0/24 may overlap with a lot of remote users' consumer network devices, as they're often configured with the very same subnet for their LAN segments as well.

We can't change LAN addressing so I'm trying to implement some sort of static NAT 1:1 network mapping to send fake network route to users and then NAT their incoming traffic to real one. Generic static NAT statement works, but it also ruins PAT/overload for internet (static mapping translation is used for internet heading traffic as well). Is there any possibility to make some sort of conditional static network mapping based on source IP or L3 interface, or maybe EasyVPN has some built-in solution for that?

I know route-maps can be added in static NAT host to host mapping, but it's not available for ip nat inside source static network command.

 

Here is the relevant configuration, it is very straight forward anyway:

interface Loopback1
 description LO FOR VPN
 ip address 10.10.90.1 255.255.255.0
!
interface Virtual-Template5 type tunnel
 description VPN L3 TERMINATOR
 ip unnumbered Loopback1
 ip nat inside
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
ip local pool IPSEC_VPN_POOL 10.10.90.2 10.10.90.254
!
ip access-list extended IPSEC_VPN_INSERT_ROUTE
 permit ip 192.168.1.0 0.0.0.255 any
!
interface FastEthernet0/1
 description USER LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface FastEthernet0/0
 description INTERNET
 ip address 198.51.100.26 255.255.255.252
 ip nat outside
!
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT permit 10
 match ip address NAT
 match interface FastEthernet0/0
!
ip nat inside source route-map NAT interface FastEthernet0/0 overload

 

1 Accepted Solution

Accepted Solutions

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   How many IP addresses/hosts from the 192.168.1.0/24 subnet actually need to be reachable by the VPN users, thus need to be translated? I you don't configure a route-map (policy static NAT) to your static NAT config in order to specify for which destinations this NAT is usable, the static NAT exists in the NAT table and it's usable for all destinations and thus will always override the overload configuration, so you'll never be able to access the Internet.

  You would need to configure a one-to-one mapping for each host which needs to be reachable by the VPN users, and attach a route-map to that. Config will be like:

 

ip access-list extended NAT_FOR_VPN

  permit ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255

!
route-map  NAT_FOR_VPN

  match ip address NAT_FOR_VPN

!

ip access-list extended NAT_FOR_INTERNET

 deny ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 any

!
route-map NAT_FOR_INTERNET

 match ip address NAT_FOR_INTERNET

!
ip nat inside source static 192.168.1.100 192.168.43.100 route-map NAT_FOR_VPN reversible

ip nat inside source static 192.168.1.120 192.168.43.120 route-map NAT_FOR_VPN reversible

ip nat inside source static 192.168.1.150 192.168.43.150 route-map NAT_FOR_VPN reversible

ip nat inside source static 192.168.1.190 192.168.43.190 route-map NAT_FOR_VPN reversible

!

ip nat inside source route-map NAT_FOR_INTERNET interface FastEthernet0/0 overload

 

Regards,

Cristian Matei.

View solution in original post

5 Replies 5

parviz
Level 1
Level 1

!
crypto isakmp client configuration group EZVPN
...
acl EZVPN_ACL
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
### This interface loopback1 and address for NAT ###
!
interface Loopback1
ip address 10.10.10.10 255.255.255.255
ip nat outside
!
interface FastEthernet0/0
ip address 198.51.100.26 255.255.255.252
ip nat outside
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ...
!
ip local pool EZVPN 10.10.90.1 10.10.90.100
!
### You can use inside IP address whatever you want and insert static nat how many you want, this one for example ###
!
ip nat inside source static tcp 192.168.1.100 80 interface Loopback1 8080
!
### This acl for accessing your inside network thru NAT ###
!
ip access-list extended EZVPN_ACL
permit ip host 10.10.10.10 any
!
end

Hello, thanks for the reply.

Your provided configuration is forwarding ports, while I need static NAT mapping 1:1 for whole /24. For example I can send fake subnet 192.168.43.0/24 to remote users (so it does not overlap with their LAN) and then map it to real 192.168.1.0/24 via ip nat inside source static network 192.168.1.0 192.168.43.0 255.255.255.0. This actually works, translations are created and users are able to access devices, but at the same time PAT (overload on their WAN interface) stops working. Instead of overloading traffic destined to Internet, router uses static 1:1 translation for that as well. Naturally ISP drops traffic sourced from 192.168.43.0/24 and Internet in their office dies.

Hi,

I sent you static nat as example, actually you can use 1:1 like this:

ip nat source static 192.168.1.1 10.10.10.10 or interface loopback1 (this will map all traffic, not specific port)

 

if you want to use whole network for nat, this is not static nat this is dynamic nat.

 

if you sending to remote network private ip addressing different from their internal network, this traffic cant be routed thru their network or natted. its impossible. route for this traffic only thru tunnel.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   How many IP addresses/hosts from the 192.168.1.0/24 subnet actually need to be reachable by the VPN users, thus need to be translated? I you don't configure a route-map (policy static NAT) to your static NAT config in order to specify for which destinations this NAT is usable, the static NAT exists in the NAT table and it's usable for all destinations and thus will always override the overload configuration, so you'll never be able to access the Internet.

  You would need to configure a one-to-one mapping for each host which needs to be reachable by the VPN users, and attach a route-map to that. Config will be like:

 

ip access-list extended NAT_FOR_VPN

  permit ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255

!
route-map  NAT_FOR_VPN

  match ip address NAT_FOR_VPN

!

ip access-list extended NAT_FOR_INTERNET

 deny ip 192.168.1.0 0.0.0.255 10.10.90.0 0.0.0.255

 permit ip 192.168.1.0 0.0.0.255 any

!
route-map NAT_FOR_INTERNET

 match ip address NAT_FOR_INTERNET

!
ip nat inside source static 192.168.1.100 192.168.43.100 route-map NAT_FOR_VPN reversible

ip nat inside source static 192.168.1.120 192.168.43.120 route-map NAT_FOR_VPN reversible

ip nat inside source static 192.168.1.150 192.168.43.150 route-map NAT_FOR_VPN reversible

ip nat inside source static 192.168.1.190 192.168.43.190 route-map NAT_FOR_VPN reversible

!

ip nat inside source route-map NAT_FOR_INTERNET interface FastEthernet0/0 overload

 

Regards,

Cristian Matei.

Thank you for the reply Cristian. I feared one to one host mappings would be the only workaround and hoped EasyVPN might have some other solution for that.

They have very random addressing allocations. Some hosts are from first /27, then some more hosts mid subnet, servers from last /26 and so on. I guess I will settle with specific routes, as I fear router may chug with 254 manual mappings and route-map conditions :)