Re: NAT after decrypt site to site VPN

alex20123 · ‎05-04-2022

Hi,

I have built a site to site VPN between Route A and Route B.

Router A
public IP: 1.1.1.1
subnet A : 10.1.1.1/24

PC_A in subnet A 10.1.1.2

Router B
public IP: 2.2.2.2
subnet B : 20.1.1.1/24

PC_B in subnet B 20.1.1.2, but only route 20.1.1.0/24 to Router B

I can ping 20.1.1.1 from PC_A, but unable to ping 20.1.1.2, because the source IP 10.1.1.2 can't send back to Router B from PC_B.

How can I use NAT to make PC_A to access subnet B?

Rob Ingram · ‎05-04-2022

@alex20123 hard to tell without seeing your configuration, but usually in this scenario you need a NAT exemption rule.

Please provide your configuration.

alex20123 · ‎05-04-2022

here is Router A config

##### R1 ##### 

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400



crypto isakmp key password123 address 2.2.2.2



ip access-list extended acl-R1-R2
    permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255

crypto ipsec transform-set vpn-R1-R2 esp-aes esp-sha-hmac



crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set vpn-R1-R2
match address acl-R1-R2



interface GigabitEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 no shutdown


interface GigabitEthernet 0/1
ip address 1.1.1.1 255.255.255.0
crypto map VPN-C-MAP
exit


ip route 0.0.0.0 0.0.0.0 1.1.1.254

here is RouterB config

##### R2 ##### 

crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400


crypto isakmp key password123 address 1.1.1.1


ip access-list extended acl-R2-R1
    permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto ipsec transform-set vpn-R1-R2 esp-aes esp-sha-hmac



crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set vpn-R2-R1
match address acl-R2-R1



interface GigabitEthernet0/0
 ip address 20.1.1.1 255.255.255.0
 no shutdown


interface GigabitEthernet 0/1
ip address 2.2.2.2 255.255.255.0
crypto map VPN-C-MAP
exit


ip route 0.0.0.0 0.0.0.0 2.2.2.254

MHM Cisco World · ‎05-04-2022

you have already have default route toward the crypto map interface.
so the ping may drop by FW of client PC not because VPN IPSec.

alex20123 · ‎05-04-2022

I can see ICMP echo request packet in PC_B using tcpdump, but there is no reply packet.

$ sudo tcpdump -i eth0 icmp -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:21:32.586519 IP (tos 0x0, ttl 254, id 202, offset 0, flags [none], proto ICMP (1), length 100)
    10.1.1.1 > 20.1.1.2: ICMP echo request, id 40, seq 2, length 80
20:21:34.596613 IP (tos 0x0, ttl 254, id 203, offset 0, flags [none], proto ICMP (1), length 100)
    10.1.1.1 > 20.1.1.2: ICMP echo request, id 40, seq 3, length 80
20:21:36.596974 IP (tos 0x0, ttl 254, id 204, offset 0, flags [none], proto ICMP (1), length 100)
    10.1.1.1 > 20.1.1.2: ICMP echo request, id 40, seq 4, length 80

The route table in PC_B

$ netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0
20.1.1.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0

I want 10.1.1.1 translate to 20.1.1.1 when forwarding by Route B, because the PC_B will route 10.1.1.0/24 to wlan0.

MHM Cisco World · ‎05-05-2022

change the metric of WLAN to higher than Eth and hence PC always use eth if it connect.

alex20123 · ‎05-05-2022

I can't modify network settings in Subnet B except the Router B, therefore I want use NAT after traffic decryption, but I'm not very proficient in configuration