03-19-2007 03:35 AM - edited 02-21-2020 02:55 PM
Hi,
I have the following problem, and can't seem to find a solution.
I have 2 Cisco routers, A and B with a VPN connection. Both routers have a serial
interface pointing to external and an ethernet interface (Lets call them A and B)
pointing to the inside.
Traffic between subnet A and B is NOT NATed and the VPN works fine.
Now, router B has a second ethernet interface (C), to subnet C.
I added this subnet to the IPSEC ACLS on both routers as I want to allow subnet A to
access subnet C through the VPN.
The tunnel is up and running with no NAT being done.
However, on router B, access from subnet B to C is NATed:
Interface B
ip nat inside
!
Interface C
ip nat outside
!
ip nat inside source route-map NAT interface C overload
!
route-map NAT permit 10
match ip address 123
!
access-list 123 permit ip SUBNET_B SUBNET_C
So far so good. Now the problem:
How can I NAT traffic from subnet A to subnet C?
I tried adding
access-list 123 permit ip SUBNET_A SUBNET_C
but this doesn't help as traffic coming out of the VPN seems not to be affected by the
NAT rule, probably because it is not considered coming from an interface with "ip nat
inside".
Is there a way of doing this without using tunnel interfaces?
Thanks in advance,
Solved! Go to Solution.
03-19-2007 06:55 AM
If I understood it correctly, you want the traffic from Subnet A to reach the router B, get decrypted, NATted to interface B and thten routed to interface C.
Please correct me if I am wrong.
You might want to use PBR (Policy Based Routing) for this.
Create an ACL to identify the traffic:
access-list 101 permit ip Subnet A Subnet C
Create a loopback :
int loopback 1
ip address 1.1.1.1 255.255.255.252
ip nat inside
exit
Create a route map to route the traffic after its decrypted.
route-map pol_nat permit 10
match ip address 101
set ip next-hop 1.1.1.2
exit
Apply the route map to your WAN interface:
int serial 0
ip policy route-map pol_nat
exit
This way the traffic will first be decrypted and then will be routed to loopback, which has a "ip nat inside" applied, and then it will be routed to subnet C after being natted using your NAT rule.
*Please rate if this helps.
-Kanishka
03-19-2007 06:05 AM
Isn't Subnet A connected to Router A ?
You mentioned that the traffic between Subnet A and C is "not" natted.
If you want to NAT the traffic, going from A to C , you have to do it on Router A.
And the crypto ACL will be created using the Natted ip address.
The changes should be mirrored on Router B as well.
Could you please elaborate the requirement and a snippet of Router A config, if you can post.
-Kanishka
03-19-2007 06:43 AM
I can not NAT traffic from subnet A to C on router A already, as the interface IP address on router B has to be used for traffic going to subnet C.
So NATing has to be done on router B.
Please see http://www.knudde.be/NAT.jpg for a little drawing.
The blue text is what I want to do.
03-19-2007 06:55 AM
If I understood it correctly, you want the traffic from Subnet A to reach the router B, get decrypted, NATted to interface B and thten routed to interface C.
Please correct me if I am wrong.
You might want to use PBR (Policy Based Routing) for this.
Create an ACL to identify the traffic:
access-list 101 permit ip Subnet A Subnet C
Create a loopback :
int loopback 1
ip address 1.1.1.1 255.255.255.252
ip nat inside
exit
Create a route map to route the traffic after its decrypted.
route-map pol_nat permit 10
match ip address 101
set ip next-hop 1.1.1.2
exit
Apply the route map to your WAN interface:
int serial 0
ip policy route-map pol_nat
exit
This way the traffic will first be decrypted and then will be routed to loopback, which has a "ip nat inside" applied, and then it will be routed to subnet C after being natted using your NAT rule.
*Please rate if this helps.
-Kanishka
03-19-2007 07:00 AM
Thank you!
This is exactly what I need.
03-22-2007 02:31 PM
Good stuff..How would something like this be achieved using a PIX instead of a router (eg. come through RAN interface then overload NAT to Outside interface)?
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide