06-18-2014 01:42 AM
Need a little bit of guidance for the connectivity between 2 natted sites. I have 2 routers which will be doing natting (Internal -> nat IP) before going through the VPN tunnel.
Site A natting = 10.208.0.0 /16 to be natted to 1.1.0.0 /16
Site B natting = 10.208.0.0 /16 to be natted to 1.2.0.0 /16
I also added static route to point to the inside when the nat is coming from the outside but still no luck.
Configuration of Site A:
ip nat pool NATPOOL 1.1.0.0 1.1.255.255 netmask 255.255.0.0 type match-host
!
ip nat inside source route-map ROUTEMAP-NAT pool NATPOOL
!
route-map ROUTEMAP-NAT permit 10
match ip address ACL-NAT
!
ip access-list extended ACL-NAT
permit ip 10.208.0.0 0.0.255.255 1.2.0.0 0.0.255.255
!
! VPN encryption domain
ip access-list extended ACL-VPN
permit ip 1.1.0.0 0.0.255.255 1.2.0.0 0.0.255.255
!
ip route 0.0.0.0 0.0.0.0 GigbitEthernet0/0
ip route 1.1.0.0 255.255.0.0 GigabitEthernet0/1
!
interface GigabitEthernet0/0
crypto map S2S_IPSEC_VPN
ip nat outside
!
interface GigabitEthernet0/1
ip address 10.208.9.5 255.255.255.128
ip nat inside
!
Configuration of Site B:
ip nat inside source route-map ROUTEMAP-NAT pool NATPOOL
!
ip nat pool NATPOOL 1.2.0.0 1.2.255.255 netmask 255.255.0.0 type match-host
!
route-map ROUTEMAP-NAT permit 10
match ip address ACL-NAT
!
ip access-list extended ACL-NAT
permit ip 10.208.0.0 0.0.255.255 1.1.0.0 0.0.255.255
!
! VPN encryption domain
ip access-list extended ACL-VPN
permit ip 1.2.0.0 0.0.255.255 1.1.0.0 0.0.255.255
!
interface Dialer1
ip nat outside
crypto map S2S_IPSEC_VPN
!
interface FastEthernet1
ip nat inside
ip address 10.208.76.102 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 1.2.0.0 255.255.0.0 FastEthernet1
With this configuration, I'm not able to ping from Site A (Lan IP) to the natted IP of Site B and vice versa.
Site A#ping 1.2.76.102 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.76.102, timeout is 2 seconds:
Packet sent with a source address of 10.208.9.5
.....
Success rate is 0 percent (0/5)
Site A#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 1.1.9.5:164 10.208.9.5:164 1.2.76.102:164 1.2.76.102:164
However, Site A I can see encaps on the ipsec incrementing but decaps shows the same, but on site B Im seeing incrementing decaps but not encaps. Same results I obtained when pinging site A from site B
Site B#ping 1.1.9.5 so fa1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.9.5, timeout is 2 seconds:
Packet sent with a source address of 10.208.76.102
.....
Success rate is 0 percent (0/5)
MY-PJ-DC-UNIFI-20M-S2S-RTR_1#sh ip nat tr
MY-PJ-DC-UNIFI-20M-S2S-RTR_1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 1.2.76.102:306 10.208.76.102:306 1.1.9.5:306 1.1.9.5:306
Whenever I do the ping test from site A, I dont see ip nat translation at all on Site B router. Same goes the other way around.
I've tried to use the reversible command on the ip nat source. With this command in place on router B, I am able to ping to the natted IP from Router A to Router B (With the condition that I tried to initiate ping traffics from Router B to Router A first. The ping test fails), but I still cant ping from router B to router A.
Router A results:
Router A#ping 1.2.76.102 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.76.102, timeout is 2 seconds:
Packet sent with a source address of 10.208.9.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
Router A#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 1.1.9.5:174 10.208.9.5:174 1.2.76.102:174 1.2.76.102:174
Router B results:
Router B#sh run | i nat
ip nat inside source route-map ROUTEMAP-NAT-DKSH-CSSC pool NATPOOL-DKSH-MALAYSIA reversible
Router B#ping 1.1.9.5 so fa 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.9.5, timeout is 2 seconds:
Packet sent with a source address of 10.208.76.102
.....
Success rate is 0 percent (0/5)
MY-PJ-DC-UNIFI-20M-S2S-RTR_1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 1.2.76.102:309 10.208.76.102:309 1.1.9.5:309 1.1.9.5:309
--- 1.2.76.102 10.208.76.102 --- ---
06-18-2014 01:57 AM
Any suggestion or ideas would really be appreciated. I've spent a few days but I still cant come to a conclusion on what is wrong eventhough i made tons of research about natting process.
06-18-2014 03:56 AM
Hi Jovie,
Can you try the NAT like the below and try? You can remove the present NAT rules and do this and give a try.
Site-A
======
ip nat inside source static network 10.208.0.0 1.1.0.0 /16 no-alias
Site-B
=====
ip nat inside source static network 10.208.0.0 1.2.0.0 /16 no-alias
Also check if the inspection makes the issue @ one end.
HTH
Regards
Karthik
06-18-2014 08:15 PM
I've tried static nat, and yeah its working. I can ping both ways.
But my concern now is, on router A, we have exisiting VPN traffic to other branches. By doing static nat, I will be natting all traffics from 10.208.0.0 /16 on router A, which in turn affects all other VPN traffics to stop working.
Same goes to router B, we have other VPN setup currently.
I've made some research, but it seems that the command "ip nat inside source static network 10.208.0.0 1.1.0.0 /16 no-alias" is not able to support routemap to define what traffics will get natted. This particular command will nat all traffics from 10.208.0.0 /16 to 1.1.0.0/16.
I've tried a workaround, Router A we have several server IPs that remote sites will need to access. I can do a 1 to 1 static natting with route map to control the traffics.
On router B, I've tried using dynamic nat so we can control the traffic through route maps (with or without reversible command), but it seems like I can only ping 1 way.
Router A:
ip nat inside source static 10.208.9.5 1.1.9.5 route-map ROUTEMAP-NAT
Router B:
ip nat inside source route-map ROUTEMAP-NAT pool NATPOOL
Results:
Router A#ping 1.2.76.102 so gi0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.76.102, timeout is 2 seconds:
Packet sent with a source address of 10.208.9.5
.....
Success rate is 0 percent (0/5
Router B#ping 1.1.9.5 so fa1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.9.5, timeout is 2 seconds:
Packet sent with a source address of 10.208.76.102
!!!!!
With reversible command, A can ping B but B unable to ping A
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide