multiple static nat with one public ip (one customer ip to one internal host)

Max Backs · ‎04-29-2010

Hi all together!

I need a 1:1 NAT between a remote Host and a internal host for a IPSec Site-to-Site Tunnel for each of our customers. I need this configuration for a dial-in remote maintenance concept shown in the Picture.

My Problem is, that i have only one public ip address for disposal. At this moment the connection with only one site to site works perfect, but now, how could i implemet my next customers? I read some pages about policy based nat or nat with route-maps, but i can't get one of the examples to work.

Could someone help me with the configuration?

thanks in advance

Max

Federico Coto Fajardo · ‎04-29-2010

Hi,

So you have a static NAT for the 1st customer?

ip nat inside source static 10.0.0.1 200.1.1.1

In this way, the router redirects the VPN traffic to the 10.0.0.1 router, correct?

You cannot use another static rule for the same IP, i.e
ip nat inside source static 10.0.0.2 200.1.1.1 --> will overlap with the first rule

You cannot use port redirection, because you need to redirect ESP and ISAKMP on all rules.

I see two solutions:

1. Can you get more public IPs?
2. Can terminate all the tunnels on the router having the public IP (assuming you have control over it)?

- Sorry, I see you're terminating the tunnel on this router.

Federico.

Max Backs · ‎05-06-2010

Hi Federico,

at first, sorry for my late answer but i was looking a few days for an other solution with my cisco router. i get always the same result, it doesnt work with my router.

Now i tryd my luck with iptables and it works fine. I write a small shellscript for easy use. It set a "static nat" based on the source customer peer ip. The script is not perfect and is not the fastest, but it works good ;-)

Thank you for your help!

d-fw-nat-01:~# cat iptables.sh

#!/bin/bash

# 1 Set Variables:

EXTERNAL_INT="eth0" # External Internet interface

EXTERNAL_IP="62.154.213.75" # Internet Interface IP address

# Customer 0

CUSTOMER_PEER[0]="87.157.179.122"

INTERNAL_PEER[0]="172.20.11.12"

# Customer 1

CUSTOMER_PEER[1]="80.153.190.76"

INTERNAL_PEER[1]="172.20.11.13"

# 2 Iptables

FW="/sbin/iptables"

# 3 delete existing Rules

$FW -F

$FW -X

$FW -t nat -F

# 4 Standardrules

$FW -P INPUT ACCEPT

$FW -P FORWARD ACCEPT

$FW -P OUTPUT ACCEPT

# close the external interface for local services

$FW -A INPUT -i $EXTERNAL_INT -j REJECT

$FW -A OUTPUT -o $EXTERNAL_INT -j REJECT

# the loop for setting one rule per customer

typeset -i I

typeset -i ANZ

I=0

ANZ=${#INTERNAL_PEER[*]}

while (( $I < $ANZ ));

do

# in prerouting the destination ip must be rewritten

$FW -A PREROUTING -t nat -i $EXTERNAL_INT -s ${CUSTOMER_PEER[$I]} -j DNAT --to ${INTERNAL_PEER[$I]} ;

# in sourcerouting the source ip must be rewritten

$FW -A POSTROUTING -t nat -o $EXTERNAL_INT -d ${CUSTOMER_PEER[$I]} -j SNAT --to $EXTERNAL_IP ;

I=$I+1;

done

d-fw-nat-01:~#

I changed the german commentar into english