How to NAT a remote VPN'd subnet

Nikolaos Milas · ‎10-07-2013

We are on a 3825 router which has a router-to-router VPN (GRE tunnel over IPSec) to remote subnet: 10.250.250.0 255.255.255.0

We want to allow NAT for that subnet. Here is the tunnel:

interface Tunnel3

ip unnumbered Loopback0

ip mtu 1416

tunnel source 195.251.25.226

tunnel destination 94.143.177.220

!

interface Loopback0

ip address 195.251.204.254 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ipv6 address 2001:648:2011:8020::1/64

ipv6 enable

!

ip route 10.250.250.0 255.255.255.0 Tunnel3

!

interface GigabitEthernet0/0.500

description Main_Link_to_ISP

encapsulation dot1Q 500

ip address 195.251.25.226 255.255.255.252

...

crypto map vpn

!

crypto map vpn 100 ...

crypto map vpn 150 ...

...

crypto map vpn 160 ipsec-isakmp

set peer ...

set transform-set vpnc

match address Crypto-list

On the router, there are other interfaces with public addresses too.

Please advise on how to allow NAT so that the network 10.250.250.0 255.255.255.0 can access the Internet.

Regards,

Nick

Markus Thun · ‎10-07-2013

The Branch will go over the tunnel to get connection to the internet? the Branche has already an internet connection so my solution is that the LAN traffic goes over the tunnel and the normal internet traffic goes directly over the Branch ISP to the internet.

What is your favorite solution?

Greets

Nikolaos Milas · ‎10-07-2013

Thanks for replying.

> The Branch will go over the tunnel to get connection to the internet?

Yes. In fact it is a set of wireless (mobile) devices (data loggers) sending data to our network, but they are now required to send data to some server on the Internet as well.

> The Branch has already an internet connection so my solution is that the LAN traffic goes over the tunnel and the normal internet traffic goes directly over the Branch ISP to the internet...?

No, this is not feasible in our case. The mobile operator provides this private subnet, VPN'd to our router and that's all. If we need Internet access, it must be through our own router.

That's why we want to NAT the remote subnet on our side.

So, any howto would be appreciated. We can NAT our LANs, but there should be some trick to NAT the VPN'd subnet. I tried to use the nat command on the Tunnel3 interface, but it's not available.

Best regards,

Nick

Nikolaos Milas · ‎06-30-2015

The setup worked correctly after we changed the configuration as follows:

access-list 7 permit 10.250.250.0 0.0.0.255
!
ip nat pool ovrld 195.251.xxx.xxx 195.251.xxx.xxx prefix-length 25
!
ip nat inside source list 7 pool ovrld overload

So, we did not overload on the external interface, but used a separate public address pool.

Nick

Nikolaos Milas · ‎01-06-2014

Hi, I am returning to this thread after a while as I have found no final solution.

NAT seems to be working but not as I expect (please see end of message for details on behavior).

I must be doing something wrong.

Here is our current setup:

crypto map vpn 150 ipsec-isakmp

...

crypto map vpn 160 ipsec-isakmp

set peer 62.103.xxx.xxx

set transform-set vpnc

match address Crypto-list-c1

...

crypto isakmp key xxxxxxxx address 62.103.xxx.xxx no-xauth

...

interface Tunnel3

ip unnumbered Loopback0

ip mtu 1416

ip nat inside <---------- *****

ip virtual-reassembly

tunnel source 195.251.25.226 (this is our border router interface to our Internet ISP)

tunnel destination 94.143.177.220 (this is the peer connection to the VPN'd Wireless network)

interface Loopback0

ip address 195.251.204.254 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ipv6 address 2001:648:2011:8020::1/64

ipv6 enable

interface FastEthernet2/1.1

encapsulation dot1Q 1 native

ip address 192.168.20.1 255.255.255.0 secondary

ip address 194.177.194.129 255.255.255.128 secondary

ip address 194.177.194.1 255.255.255.128

ip access-group 130 in

ip access-group 131 out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip nat outside <---------- *****

ip virtual-reassembly

ipv6 address 2001:648:2011:8002::1/64

ipv6 enable

ipv6 flow ingress

ip nat inside source list CAPN interface FastEthernet2/1.1 overload

!

ip access-list extended CAPN

permit ip 10.250.250.0 0.0.0.255 any

ip access-list extended Crypto-list-c1

permit ip host 195.251.25.226 host 94.143.177.220

access-list 130 permit ip 194.177.194.0 0.0.0.127 any

access-list 130 permit ip 194.177.194.128 0.0.0.127 any

access-list 130 permit tcp any any established

access-list 130 deny ip any any log

access-list 131 permit ip any 194.177.194.0 0.0.0.127

access-list 131 permit ip any 194.177.194.128 0.0.0.127

access-list 131 deny ip any any log

...

ip route 10.250.250.0 255.255.255.0 Tunnel3

...

The VPN works OK, however NAT is used when 10.250.250.x/24 are visited by 194.177.194.x/24.

However, since 194.177.194.0/24 is hosted on the same router, I don't want this to happen. I want such addresses to be able to access directly the 10.250.250.0/24 network and not via NAT.

Strangely (to me), I can ping 10.250.250.x/24 from 194.177.194.x/24 but I cannot telnet (on port 30001), while another public subnet, hosted on the same router (on int Fa2/0.1) can successfully ping AND telnet to 10.250.250.x/24. This other subnet does not seem to be using NAT (no NAT translations appear for that subnet addresses).

In short, I would want NAT to be used so that 10.250.250.x/24 can communicate with outer IP Addresses and not with directly connected (on the same router) subnets.

Can anyone please explain what is happening and what am I doing wrong?

For reference:

#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 194.177.194.1:3 10.250.250.2:23 194.177.194.132:11265 194.177.194.132:11265

icmp 194.177.194.1:1847 10.250.250.2:1847 194.177.194.132:1847 194.177.194.132:1847

icmp 194.177.194.1:1848 10.250.250.2:1848 194.177.194.132:1848 194.177.194.132:1848

icmp 194.177.194.1:1849 10.250.250.2:1849 194.177.194.132:1849 194.177.194.132:1849

icmp 194.177.194.1:1850 10.250.250.2:1850 194.177.194.132:1850 194.177.194.132:1850

icmp 194.177.194.1:1851 10.250.250.2:1851 194.177.194.132:1851 194.177.194.132:1851

icmp 194.177.194.1:2420 10.250.250.2:2420 194.177.194.132:2420 194.177.194.132:2420

icmp 194.177.194.1:2421 10.250.250.2:2421 194.177.194.132:2421 194.177.194.132:2421

icmp 194.177.194.1:2422 10.250.250.2:2422 194.177.194.132:2422 194.177.194.132:2422

icmp 194.177.194.1:2423 10.250.250.2:2423 194.177.194.132:2423 194.177.194.132:2423

icmp 194.177.194.1:2424 10.250.250.2:2424 194.177.194.132:2424 194.177.194.132:2424

icmp 194.177.194.1:6478 10.250.250.2:6478 194.177.194.132:6478 194.177.194.132:6478

icmp 194.177.194.1:6479 10.250.250.2:6479 194.177.194.132:6479 194.177.194.132:6479

icmp 194.177.194.1:6480 10.250.250.2:6480 194.177.194.132:6480 194.177.194.132:6480

icmp 194.177.194.1:6481 10.250.250.2:6481 194.177.194.132:6481 194.177.194.132:6481

tcp 194.177.194.1:30001 10.250.250.2:30001 194.177.194.103:51001 194.177.194.103:51001

tcp 194.177.194.1:30001 10.250.250.2:30001 194.177.194.134:56833 194.177.194.134:56833

tcp 194.177.194.1:62303 10.250.250.2:62303 194.177.194.103:80 194.177.194.103:80

tcp 194.177.194.1:62374 10.250.250.2:62374 194.177.194.103:80 194.177.194.103:80

tcp 194.177.194.1:62903 10.250.250.2:62903 194.177.194.103:80 194.177.194.103:80

tcp 194.177.194.1:65199 10.250.250.2:65199 194.177.194.103:80 194.177.194.103:80

I appreciate any assistance.

Thanks in advance,

Nick