IPsec Overlaps netowork with nat overload to internet

stlourenco · ‎12-15-2016

Hello, Guys..

I have a doubt regarding a scenario that I built in the Unet Lab.

The image I have 2 Sites in a company: the LAN site 1 is 192.168.0.0/24 and the LAN 2 site is 192.168.0.0/16. I can successfully establish a VPN between the two site as evidence:

SITE 1:

SITE 2:

The main problem here is that I can't get out to the internet even with the NAT configuration correct. If I remove the NAT configuration used for the VPN, access to internet works normal, but the VPN crashes. Have any other strategy I can both access the internet as access resources of another site through the VPN?

The router of the two site are attached.

Thank you in advance!

MANI .P · ‎12-16-2016

01. You have to create ACL permit and apply into the crypto map of internet interface .

----------------------------------------------------------------------------------------------------------------------

Configure the access-lists and map them to the Crypto map configured.

access-list 100 remark IPSec Rule
access-list 100 permit ip LANSITE1NW+Wildcardmask LANSITE2NW+Wildcardmask

Crypto map S2SVPN_1 ipsec-isakmp
set peer 177.94.X.X
set transform-set Router-IPSEC
match address 100

interface FastEthernet0
ip address 200.150.X.X
duplex auto
speed auto
crypto map S2SVPN_1

02. configure nat to allow the inside network to access internet

------------------------------------------------------------------------------

ip nat inside source route-map nonat interface fa0/0 overload
-------------------------------------------------------------------------------------------

-----------------------------------------------------------------------------------------------------
This ACL 110 identifies the traffic flows using route map

access-list 110 deny ip LANSITE1NW+Wildcardmask LANSITE2NW+Wildcardmask
access-list 110 permit ip LANSITE1NW+Wildcardmask any
route-map nonat permit 10
match ip address 110
----------------------------------------------------------------------------------------------------------

i hope this will help you.

Thanks,

Mani

stlourenco · ‎12-18-2016

Hello my friend.

Unfortunately the configuration you gave me didn't work. After the tests, can't do ping test for the 2 SITE through the VPN. Note that in the debug when I try to ping test to a SITE host 2 or to the internet, it give match IPSEC NAT rule.

Follows the .txt file with the configuration of SITE1 and images with the debug ip nat and the exit of the show ip nat translation

MANI .P · ‎12-18-2016

Hi ,

1. you have to remove
no ip nat inside source static network 192.168.0.0 172.25.10.0 /24
no ip nat outside source static network 192.168.0.0 10.199.0.0 /16
---------------------------------------------------------
2.change ACL at site 1 because you local Nw 192.168.0.0 and remote nw 172.25.10.0
#ip access-list extended NONAT
deny ip 192.168.0.0 0.0.255.255 172.25.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
# ip access-list extended VPN-CRYPTO
permit ip 192.168.0.0 0.0.255.255 172.25.10.0 0.0.0.255
-----------------------------------------------------------------------------------
3. at site2 ACL should be

#ip access-list extended NONAT
deny ip 172.25.10.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.25.10.0 0.0.0.255 any
# ip access-list extended VPN-CRYPTO
permit ip 172.25.10.0 0.0.0.255 192.168.0.0 0.0.255.255
-----------------------------------------------
4. clear isakmp - phase 1
#clear crypto isakmp

------------------------------
5. clear ipsec - phase 2
# clear crypto sa

------------------------
6. initate traffic from site1 to site2

# ping 172.25.10.X source 192.168.X.X

check the crypto isakmp & then ipsec inbound and outbound .

---------------------------------------------------------
7. site1 internal users will be able to access internet as well.

please give me rate if this helps you.

thanks ,
Mani

stlourenco · ‎12-18-2016

Hi.

I imagine that you did not understand: the site1 LAN 192.168.0.0/24 's and the site's 2 LAN 192.168.0.0/16. These two NAT rules that you asked to remove, are the rules to solve the problem of the overlaps of the two sites for them to communicate

ip nat inside source static network 192.168.0.0 172.25.10.0 /24: this rule makes the translation from 192.168.0.0/24 source to 172.25.10.0/24, who is doing a test ping the from site 2 to site 1, should send ICMP to a host of 172.25.10.0/24 network 192.168.0.0/24 instead, because I'm masking the origin.

The same logic follows the rule ip nat outside source static network 192.168.0.0 10.199.0.0 /16, where the hosts from site 1 that trying to do ping test to a host in site 2, will send ICMP to a host on the network 10.199.0.0/16 instead of the network 192.168.0.0/16, because I'm translating the destination.

So, if I don't get it wrong, the configuration that you are informing me it's like the hosts on the LAN 2 site really used the network 172.25.10.0/24, as it would be for me a simpler scenario, really just a NAT Exemption rule between the network not to do the translation would solve the problem of connectivity to the internet and maintain communication between sites through the VPN, but it is not my case

Just as a note, I replace the router for a ASAv in site 1, following the same logic, I've had success on connectivity to the internet as for communication on the site 2 through the VPN, without interference in the nat rule.

Now the question is: why the router there is no such interference in the NAT rule?