Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1084
Views
0
Helpful
1
Replies

NAT over VPN Tunnel

ichacon00
Level 1
Level 1

‎12-01-2010 07:50 PM

We are trying to configure incoming mail relay through one of our office locations and redirect that external IP over to our datacenter via a DMVPN cloud. I am familiar with the route-map condition at the end of the NAT statement and have it already in place already however, I still cant make a connection over TCP 25 to our mail relay server (that resides at the datacenter).

I have put an access-list on the tunnel interface on our datacenter router and see the counters increment when I try to telnet over port 25 to the external IP

routed at our office location, which tells me the NAT rule is working and actually making it accross the tunnel. I think our problem is with the return traffic orginitating from our mail relay server. Traffic leaving our datacenter to the public internet follows a different path and its natted to a different public IP, I've tried to use policy based routing at our datacenter router and point any traffic from our mail relay server over the DMVPN tunnel without any success.

I guess my question is the follwoing. How can I ensure that all traffic flows that are natted through our office location and over the DMVPN cloud to our mail relay server follow the same path back?

See visio drw for reference

Thanks in advance

Labels:
76248-NAT over VPN.vsd.zip
0 Helpful
1 Reply 1

ichacon00
Level 1
Level 1

‎12-02-2010 09:16 AM

I got this working already, basically as I mentioned on my first post I used access-lists at different points of the network to simply determine if my packets where making it in that particular direction. Placed a route-map on the LAN interface of our datacenter router that simply matched all traffic from our mail relay server (leaving the datacenter) and set its next-hop as the DMVPN IP address of our OFC router (other side of the VPN for our DC router).

I had originally applied the route-map on the outside interface of our datacenter router, but apperantly it did not work becuase I could not see any hits on the test ACL I had configured on my DMVPN tunnel interface (facing our OFC router). Anyhow moving the route-map to the inside interface did the trick and redirected all the traffic for our mail relay server over the DMVPN cloud. However, my OFC router was not natting the mail relay's internal IP to a public IP as it traversed from the DMVPN tunnel interface back out our internet interface (obviously the same physical intf).

Ultimately I configured ip nat inside on the tunnel interface on our OFC router and that resolved the issue. So in summay

1. You need a route-map at the end of your static nat statements (deny all VPN and intra interface related traffic and permit everything else from those IPs you have nat statements for)

2. A route-map on the inside or LAN interface(s) of your remote router (other end of the VPN) pointing all return traffic from that IP that you are natting back out to the DMVPN cloud.

3. ip nat inside configured on the tunnel interface of the router where your remote NAT translation is taking place.

Hope that explains it.

Ivan.

0 Helpful
Customers Also Viewed These Support Documents