Re: NAT/PAT and IPSEC

ROBERTO TACCON · ‎05-20-2005

IOS router with a static configured PAT from public to private and nat for internet use

!

interface FastEthernet0

description # LAN connection

ip address 172.16.189.254 255.255.255.0

ip nat inside

!

interface Dialer0

description # internet connection

ip address negotiated

ip nat outside

crypto map ipsec

!

ip nat inside source list 199 interface Dialer0 overload

ip nat inside source static tcp 172.16.189.1 3389 interface Dialer0 3389

!

and on the same router an IPSEC tunnel between 172.16.189.0/24 to 10.10.10.0/24 configured with the following acl

!

access-list 199 remark #

access-list 199 remark # "nat Dialer0 overload with vpn split tunneling"

access-list 199 remark #

access-list 199 deny ip 172.16.189.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 199 permit ip 172.16.189.0 0.0.0.255 any

access-list 199 deny ip any any log

!

when i try to connect from host 10.10.10.1 to the 172.16.189.1 all ports are ok

but

if i try to connect on the port 3389 the nat start. How can i modify this NAT order of Operation within this configuration ?

Thanks in advance.

thomas.chen · ‎05-26-2005

Please refer to the document http://www.cisco.com/warp/public/556/5.html on the order of operation.

slaterc · ‎05-27-2005

Your problem is that the static NAT always takes precedence over the access-list based NAT.

I had exactly the same problem when using some static NATs with some Cisco VPN clients connecting to the same router.

You need to do this:

(1) Create a loopback interface, and give it any spare address. The subnet mask is unimportant.

(2) Create an access-list like this:

ip access-list extended no-nat-3389

permit tcp host 172.16.189.1 eq 3389 10.10.10.0 0.0.0.255

(3) Create a route-map, so that packets from 172.16.189.1/3389 are directed to the new loopback interface:

route-map port3389-to-loopback permit 10

match ip address no-nat-3389

set ip interface loopback0

(4) Apply the route-map to the interface:

interface FastEthernet0

ip route-cache policy

ip policy route-map port3389-to-loopback

DO NOT apply "ip nat inside" to the loopback interface.

The way this works is that the route-map directs packets from 172.16.189.1/3389 to the loopback interface. The loopback interface is not marked as a NAT-inside interface, and so NAT is not applied.

I had some trouble getting this to work. You may need to ensure that the loopback interface is included in the ACL for the VPN tunnel.

HTH

Chris

ROBERTO TACCON · ‎05-27-2005

I SEND THE THE CONFIGURATION AGAIN WITH YOUR INPUT (I've NOT changed the configuration on the HUB router):

*** SPOKE ROUTER

!

interface Loopback123

description # for overrides the problem PAT-NAT VPN problem

ip address 10.123.123.1 255.255.255.0

!

int FastEthernet0

ip address 172.24.64.254 255.255.255.0

ip nat inside

ip route-cache policy

ip route-cache flow

ip policy route-map nonat-fe0

!

interface Dialer0

ip address negotiated

ip nat outside

!

ip nat inside source static tcp 172.24.64.2 3389 interface Dialer0 3389

!

access-list 123 remark #

access-list 123 remark # route map for overrides the problem PAT-NAT VPN problem

access-list 123 remark #

access-list 123 permit ip host 172.24.64.2 172.16.188.0 0.0.0.255

access-list 123 permit ip host 172.24.64.2 172.16.189.0 0.0.0.255

!

access-list 167 remark #

access-list 167 remark # crypto map for L2L ip

access-list 167 remark #

access-list 167 permit ip 172.24.64.0 0.0.0.255 172.16.188.0 0.0.0.255

access-list 167 permit ip 172.24.64.0 0.0.0.255 172.16.189.0 0.0.0.255

access-list 167 permit ip 10.0.0.0 0.0.0.255 172.16.188.0 0.0.0.255

access-list 167 permit ip 10.0.0.0 0.0.0.255 172.16.189.0 0.0.0.255

!

route-map nonat-fe0 permit 10

match ip address 123

set ip next-hop 10.123.123.2

!

*** HUB ROUTER

!

int FastEthernet0.188

ip address 172.16.188.254 255.255.255.0

!

int FastEthernet0.189

ip address 172.16.189.254 255.255.255.0

!

access-list 167 remark #

access-list 167 remark # crypto map for L2L ip

access-list 167 remark #

access-list 167 permit ip 172.16.188.0 0.0.0.255 172.24.64.0 0.0.0.255

access-list 167 permit ip 172.16.189.0 0.0.0.255 172.24.64.0 0.0.0.255

!

BUT now i can't ping fromt the HUB LAN to the SPOKE LAN !!!

- ping from 172.24.64.2 vs 172.16.189.2 OK

- ping from 172.16.189.2 vs 172.24.64.2 DOESN'T WORK

If i remove the policy map on the spoke ALL is OK again !

Jonathan Bekkers · ‎07-03-2012

Very old thread but I see that it doesn't look to have been answered. I'll leave this guide here for future reference. Here's how you do this guys.

interface FastEthernet0
description # LAN  connection
ip address 172.16.189.254 255.255.255.0
ip nat inside
!
interface Dialer0
description # internet connection
ip address negotiated
ip nat outside
crypto map ipsec 
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 172.16.189.1 3389 interface Dialer0 3389 route-map NO-NAT
!
route-map NO-NAT permit 10
 match ip address 199
! 
!
access-list 199 remark #
access-list 199 remark # "nat Dialer0 overload with vpn split tunneling"
access-list 199 remark #
access-list 199 deny   ip 172.16.189.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 199 permit ip 172.16.189.0 0.0.0.255 any
access-list 199 deny   ip any any log
!