cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4682
Views
0
Helpful
3
Replies

NAT traffic destined for VPN tunnel and Still Access the Internet

alex.brown
Level 1
Level 1

Hi,

Thank you in advance for any help you can provide.

I have a server with an IP address of 192.168.1.9 that needs to access a remote subnet of 192.168.50.0/24, across the Internet.  However, before the server can access the remote subnet, the server's IP address needs to be NAT'ed to 10.1.0.1 because the remote VPN gateway (which is not under my control) provides access to other clients that have the same subnet addressing that we do on our LAN.

We have a Cisco 2801 (running c2801-advsecurityk9-mz.124-15.T9.bin) configured to do the NAT.  This is the only gateway on our network.

I have configured the Cisco 2801 with the following NAT statements and relevant access lists:

access-list 106 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255

ip access-list extended NAT
deny   ip host 192.168.1.9 192.168.50.0 0.0.0.255
deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

route-map ISP permit 10
match ip address NAT

ip nat pool EMDVPN 10.1.0.1 10.1.0.1 netmask 255.255.255.0
ip nat inside source list 106 pool EMDVPN
ip nat inside source route-map ISP interface FastEthernet0/1 overload

When the server (192.168.1.9) attempts to ping devices on the 192.168.50.0/24 subnet, the VPN tunnel is successfully established.  However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed from the external IP of the router (FastEthernet0/1) to 10.1.0.1.

The documentation I've seen on Cisco's site tells me that this type of configuration only allows for host to subnet communication.  Internet access is not possible.  However, perhaps I've missed something or one of you experts can enlighten me.  Is there any way to configure the router to NAT the traffic destined for the VPN tunnel and still access the Internet using the dynamic NAT on FastEthernet0/1?

Again, thank you for any help you can give.

Alex

2 Accepted Solutions

Accepted Solutions

mopaul
Cisco Employee
Cisco Employee

Hi,


Instead of using a pool for NAT


192.168.1.9 -- 10.1.0.1 >> 192.168.50.x


acl 102 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255

route-map RM-STATIC-NAT permit 10
match ip address 102

ip nat inside source static 192.168.1.9 10.1.0.1 route-map RM-STATIC-NAT extendable

acl 101 deny ip host 192.168.1.9 192.168.50.0 0.0.0.255
acl 101 per ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/1 overload


***VPN access-list will use the source as 10.1.0.1...***

Lemme know if this works.



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

HeyAlex,


Glad i could help you...


The overload statement you used earlier looks good to me. Whenever you make changes in NAT rules be sure of clearing the nat translations for the ip address/subnet for which rule is defined on router to ensure router creates the correct translation considering all ip nat rules configured on the device. So, when you took your statement off and put mine in. Router created a new translation for the host ip which was correct this time. You can either use a router map or you can make an acl for NAT overload. Both works. I prefer using an ACL than a route map for overload statement.


When i started playing with NAT on routers trust me i had a bad time too understanding the NAT Order of operation. Here is what i followed to make things more clear for myself. I did plenty of lab recreates and played with multiple keywords within the NAT statements on router. For instance " extendable'.

Below are some documents i used when i started with (and to be honest i still refer them whenever it is required), they might help you too in future.


Beginner's guide for NAT

http://http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml


NAT order of operation

http://http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


Route maps with Static Translations

http://http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html



Hope this helps...


Regards

M



P.S : For all users whenever you post your questions and the solution given to you works, please make sure you rate it. That helps other users with same query to get their answers in less time rather posting a new thread for same thing and waiting for answers. This saves time for both author and the person who replies to it.

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

View solution in original post

3 Replies 3

mopaul
Cisco Employee
Cisco Employee

Hi,


Instead of using a pool for NAT


192.168.1.9 -- 10.1.0.1 >> 192.168.50.x


acl 102 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255

route-map RM-STATIC-NAT permit 10
match ip address 102

ip nat inside source static 192.168.1.9 10.1.0.1 route-map RM-STATIC-NAT extendable

acl 101 deny ip host 192.168.1.9 192.168.50.0 0.0.0.255
acl 101 per ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/1 overload


***VPN access-list will use the source as 10.1.0.1...***

Lemme know if this works.



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

THANK YOU!!!  That worked!!

It appears that I need to get a better understanding of the order of operation when using NAT.

I got rid of the pool, like you suggested, but I left my original overload statement like it was . . .

ip nat inside source route-map ISP interface FastEthernet0/1 overload

. . . and it still didn't work.  Once I changed it to the following, per your suggestion, it worked:

ip nat inside source list 101 interface FastEthernet0/1 overload

Will you tell me what I missed please?

Thanks Mopaul!

HeyAlex,


Glad i could help you...


The overload statement you used earlier looks good to me. Whenever you make changes in NAT rules be sure of clearing the nat translations for the ip address/subnet for which rule is defined on router to ensure router creates the correct translation considering all ip nat rules configured on the device. So, when you took your statement off and put mine in. Router created a new translation for the host ip which was correct this time. You can either use a router map or you can make an acl for NAT overload. Both works. I prefer using an ACL than a route map for overload statement.


When i started playing with NAT on routers trust me i had a bad time too understanding the NAT Order of operation. Here is what i followed to make things more clear for myself. I did plenty of lab recreates and played with multiple keywords within the NAT statements on router. For instance " extendable'.

Below are some documents i used when i started with (and to be honest i still refer them whenever it is required), they might help you too in future.


Beginner's guide for NAT

http://http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml


NAT order of operation

http://http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


Route maps with Static Translations

http://http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html



Hope this helps...


Regards

M



P.S : For all users whenever you post your questions and the solution given to you works, please make sure you rate it. That helps other users with same query to get their answers in less time rather posting a new thread for same thing and waiting for answers. This saves time for both author and the person who replies to it.

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries