cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4638
Views
8
Helpful
20
Replies

NATing vpn traffic differently from internet traffic

rfera
Level 1
Level 1

Hello,

I have a remote site to which I must create a site-to-site IPsec VPN. The remote site has a Cisco 800-series router and has a private subnet that overlaps a local subnet (thus the VPN traffic must be "static network" NATed). The 800 also acts as the remote site's firewall, so it is performing PAT on their internet traffic. I know how to exempt VPN traffic from the internet PAT by  using a route map. However, I also must perform a static network nat on all traffic going through the tunnel. However, "ip nat source static network ....." does not support any route-maps or access-lists. It appears to be just a gigantic sledgehammer that overrides all other IP NAT commands. I know this type of NATing can be done on an ASA, but I need it on IOS.

ip access-list extended aclNAT

deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.255.255     ! the traffic going through the VPN denied for PAT

permit ip 192.168.10.0 0.0.0.255 any                                     ! all other traffic destined for internet

ip access-list extended aclVPNNAT

permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.255.255    ! the traffic going through the VPN

route-map NATMap permit 10

match ip address aclNAT

route-map VPNNATMap permit 10

  match ip address aclVPNNAT

i

ip nat source route-map VPNNATMap static network 192.168.10.0 192.168.200.0 /24    ! What I'd like to do but can't...

ip nat source route-map NATMap interface FastEthernet4 overload

Is there some other approach I can use to accomplish this? (There must be something -- it just doesn't seem like a very obscure problem.) I have been reading about VTI's and VRF's, wondering if some of those technologies might help, and my head is spinning. Any hints that would point me towards a solution would be appreciated.

Thanks,

Bob

20 Replies 20

srikanth ath
Level 4
Level 4

Hello Bob,

When you have an overlap of private subnets between two sites, you should configure nat to private to private subnets

please configure a static nat as:

outbound:

ip nat insiede source static network 192.168.1.0 10.10.10.0 /24

access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit the ACL to Crypto Map:

Note: the interesting traffic for the second site would be desitined as 10.10.10.0/24

please follow the link below which can you help you out for your scenario:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

r5a5m5
Level 1
Level 1

CLear understanding the NAT processing Order in IOS will solve this problem easily..

Below given link will help you on this..

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

"A good rating is as good or even better than a thank you, remember to rate the helpful posts "

"A good rating is as good or even better than a thank you, remember to rate the helpful posts "

Thank you both for the replies. I've read all these articles, but I don't see how they solve my problem. I know how to NAT the VPN traffic in case of an IP address overlap, as long as the router is managing only the VPN. Using IP NAT SOURCE STATIC NETWORK works perfectly in that case. The issue is that I also need to provide internet access via the same router, using PAT (overloading the public WAN interface). I cannot find a way to STATIC NETWORK NAT only the traffic destined for the VPN tunnel and then PAT the normal internet traffic (becaue STATIC NETWORK NAT doesn't provide any way to select the traffic it applies to; it just nails everything, and all other NAT rules are ignored).

This is taken from one of the articles provided. In the comment it says that "this translation is used for BOTH VPN and internet traffic". This is NOT what I need. I need this translation to be applied ONLY to the VPN traffic. If that isn't possible, then the internet traffic must apparently be NATed twice (as implied by the comments), and I must be able to do that all within one router, but how?

ip nat inside source static network 192.168.1.0 10.5.5.0 /24

!--- Static translation defined to translate Private_LAN1
!--- from 192.168.1.0/24 to 10.5.5.0/24.
!--- Note that this translation is used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- A routable global IP address range, or an extra NAT
!--- at the ISP router (in front of Site_A router), is
!--- required if Private_LAN1 also needs internal access.

Hello Robert,

1st thing

how many ISP points you have at your Side(1 or >1).

do you want to use the single ISP point, to do the VPN'in as well as providing the internet access to inside users. or route the traffic seperately (Internet isp1 and VPNin isp2).

Let us know your requirement, where TAC can help you out.

Regards

srikanth

Hi Srikanth,

At this point let's consider there to be one ISP. Internet traffic needs to be PATed ("overload" the public interface address), site-to-site vpn traffic needs network NAT.

Yesterday I tried using a "match-host" NAT Pool for the vpn traffic (allowing me to select the NAT traffic with a route-map), which worked for outbound traffic (and its return packets), but traffic originated from the other end did not work (clearly because of the dynamic NAT). I've been messing with a mixture of NVI and "inside/outside" configurations with a loopback interface trying to get the inbound destination address to NAT, but have not had any success.(Actually it DID work for about 10 ping packets (without my changing anything), then it stopped again (also without my changing anything). I cannot figure out why.)

This just doesn't seem like such an odd situation. Can't believe it's this hard to do.

Regards,

Bob

Hello Bob


If you want to allow an IP accessable from outside/otherside of VPN then, you need to have static Nat,
example: if you have two servers and rest are the users. create a static nat for servers and allocate a nat pool for the users as like below example.


ip nat inside source static 192.168.1.1 10.5.5.1

ip nat inside source static 192.168.1.2 10.5.5.2

Users Pool:

Example1:
Ip nat pool pool-VPN-Sitea 192.168.1.10 192.168.1.254 prefix-lenght 24

Ip nat pool pool-VPN-Siteb 10.5.5.10 10.5.5.254 prefix-lenght 24

ip nat inside source pool pool-VPN-sitea pool Pool-VPN-siteB

or

Example2:
above you can add route map for natting based on destination , but be carefull in giving an wildcard mask for an ACL.

access-list 101 permit ip 192.168.1.0 0.0.0.31 10.5.5.0 0.0.0.31

route -map SiteA-SiteB-VPN permit 10
match address 101

IP nat inside source route-map siteA-SiteB-VPN pool pool-VPN-Siteb

Ip nat pool pool-VPN-Siteb 10.5.5.1 10.5.5.31 prefix-lenght 24

Please follow the below Link for nat pool desceription:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

Hope this helps you,

Kindly, Please rate the helpfull posts.

Regards,

srikanth

Hello,

Thanks for the reply. I see where you're going here, but unfortunately, statically NATing individual systems will be highly impractical in the case I'm facing (I'd have to make static NAT entries for every machine on the network). I really need to statically NAT the entire network's traffic passing through the VPN.

Using a "match-host" pool works perfectly for outbound VPN traffic.

I've been experimenting with a "NAT on a stick" type of setup to translate the destination address of inbound VPN traffic, but it's not working as I expected -- the incoming traffic is sent to the Loopback interface but it is not NATed when it exits.

! Configured as "outside" to work with "ip nat outside source..." so that traffic being sent out the Loopback interface will have its destination address translated. This is what is not working. (Actually it seemed to work for a few packets for an unknown reason, then it stopped again -- no config changes were made other than turning debug on/off.)

interface loopback0

ip address 10.10.30.1 255.255.255.0

ip nat outside

! Public/outside interface. Internet (PAT) traffic uses NVI.

interface FastEthernet4

ip address 10.3.1.2 255.255.255.0

ip nat enable

ip inspect Firewall out

crypto map VpnMap

! Private/internal interface (again  using NVI)

interface vlan1

ip address 10.10.10.1 255.255.255.0

ip nat enable

! Pool used by outbound VPN traffic. Translates outbound source address from 10.10.10.x to 10.10.20.x

ip nat pool VpnPool 10.10.20.1 10.10.20.254 prefix-length 24 type match-host

! NAT configuration for internet traffic using PAT

ip nat source route-map PrimaryNat interface FastEthernet4 overload

! Select outbound VPN traffic for "match-host" pool translation

ip nat source route-map VpnNat pool VpnPool

! Static network NAT for traffic coming inbound on the tunnel. It's destination of 10.10.20.x must be

! translated to 10.10.10.x. This translation will happen as the decrypted traffic exits the loopback interface (again

! this is not working).

ip nat outside source static  network 10.10.10.0 10.10.20.0 /24

! Select traffic going to the internet (exclude VPN traffic)

ip access-list extended aclNatOverload

deny ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.225 any

! Select traffic going out through the tunnel that needs to be translated using the "match-host" pool

ip access-list extended aclNatVpn

permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255

! Select NATed traffic for the crypto map

ip access-list extended aclVPN

permit ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255

! Select decrypted traffic coming in on the tunnel to be sent to the Loopback interface. The idea is that when traffic

! exits L0 its destination will translate from 10.10.20.x to 10.10.10.x.

ip access-list extended aclVpnReturn

permit ip 192.168.10.0 0.0.0.255 10.10.20.0 0.0.0.255

route-map VpnReturnToiNat permit 10

match ip address acl VpnReturn

set interface Loopback0

route-map VpnNat permit 10

match ip address aclNatVpn

route-map PrimaryNat permit 10

match ip address aclNatOverload

route-map VpnNatReturn permit 10

match ip address aclVpnReturn

Thanks,

Bob

Hello Bob

Using match-host in nat: By default, the dynamic entries are held in the NAT table for 86,400 seconds (24 hours).

If you use 0 seconds or the keyword never with the ip nat translation timeout command, the mapping is never removed from the NAT table, when a translation is first made an ip is mapped to addresses which is selected with matching host portions. While a pool address is mapped to an address in the NAT table, it cannot be mapped to any other address. So kindly change the default translation timeout to zero.

# ip nat translation timeout never

OR

# ip nat translation timeout 0

PFB, doc which explains on Nat traslations:

http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=4

Note: above is not a preferable to option other than static nat translations, but this would solve your concerns.

2.

! NAT configuration for internet traffic using PAT

ip nat source route-map PrimaryNat interface FastEthernet4 overload

! Select outbound VPN traffic for "match-host" pool translation

ip nat source route-map VpnNat pool VpnPool

NVI interfaces doesn’t support the route-maps and SNAT, definitely there is an NAT issue

Follow the documentation for the NVI setup. And make changes accordingly as i think you should go without NVI as to nat the traffic based on the destination that can be acheived by route-maps.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

Note: As I noticed in your config, In Route-map’s you cannot give a same sequence number for map set up.

3. 

! Inbound traffic on the tunnel: please change to

No ip nat outside source static network 10.10.10.0 10.10.20.0 /24

ip nat outside source static network 10.10.10.0 10.10.30.0/24

if you still have isssues here, please remove ip nat outside statement under loopback as i think you dont require here.

and the above should do for you.Let us know if you have any issues.

Please rate the helpful posts,

Regards

Srikanth

OK, I made all the changes you suggested (I think)...

ip nat translation timeout never

I removed all NVI configuration and replaced with inside/outside (of course that doesn't address the question that IOS allowed me to use a route-map with NVI, and it in fact worked)

! NAT configuration for internet traffic using PAT

ip nat inside source route-map PrimaryNat interface FastEthernet4 overload

! Select outbound VPN traffic for "match-host" pool translation

ip nat inside source route-map VpnNat pool VpnPool

interface vlan1

no ip nat enable

ip nat inside

interface f4

no ip nat enable

ip nat outside

So far none of this has made any difference at all. The destination address of inbound VPN traffic is still not being nated from 10.10.20.x to 10.10.10.x.

I also tried making the change you mentioned in (3) (no effect either), but this makes no sense to me. 10.10.30.x is just an address I made up for the loopback interface. Nothing is ever addressed to it, and that network is never used by anything.

So, if,on Loopback0 I have:

ip nat outside

... and I have

ip nat outside source static network 10.10.10.0 10.10.20.0 /24

and a packet destined for 10.10.20.x gets routed out loopback0, why does it not translate the 10.10.20.x to 10.10.10.x?

And now that I have also added an "ip nat outside" to f4 (the real outside interface), won't that confuse things when it tries to apply the static network nat? Although it never seems to try to apply it, no matter what I do...

Thanks,

Bob

Hello Bob,

can the site B translate the inside source address to any other subnet.as so we dont require to enable nat at outside.

example:

sitea: 10.10.10.1 255.255.255.0  translates to  10.10.20.0 255.255.255.0

stie b: 10.10.10.0 255.255.255.0 translates to 10.10.30.0 255.255.255.0

and the same natted subnet would be in the crypto-acl.

No, that won't work in this case. Consider this example:

Site A's subnet is 192.168.10.0/24. It is a corporate datacenter with site-to-site vpns to over 50 remote offices.

Site B's subnet is 10.10.10.0/24 and needs to communicate to site A.

Site A already has a VPN to another remote office that is numbered 10.10.10.0/24. (Or, in more general terms, Site A simply already has another route to a different 10.10.10.0/24 subnet.) Hence Site A must see all traffic coming from (and going to) Site B as if Site B's LAN is 10.10.20.0/24.

Site B also needs internet access (PAT), using the same IOS router that's acting as its VPN endpoint, hence the need for two-way static network natting on only selected traffic (to/from the VPN) and PAT on all other traffic.

If the below is your scenario.

1.

Site A's subnet is 192.168.10.0/24.

Site B's subnet is 10.10.10.0/24

Site A already has a VPN to another remote office that is numbered 10.10.10.0/24

You just need to hide your inside subnet by natting it to another subnet

Note:

a. the natted subnet at siteB shouldnt be overlapped with any inside/outiside-traffic/interesting-traffic of Peer of SITEA

b. You dont require to nat the inbound VPN traffic at siteB, as the interesting traffic VPN between siteA and siteB subnets arent same/overlapped.

2.

Outbound VPN-traffic:


ip nat pool natted-pool-siteA 172.16.191.1 172.16.191.254 prefix-lenght 24 type match-host


ip nat inside source  route-map nat-ip-VPN pool natted-pool-siteA

! Select outbound VPN traffic for "match-host" pool translation


access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
This Access Control List (ACL) permits traffic from all hosts in siteB network destined for the partner network siteA.

route-map nat-ip-VPN permit 10
match address 101


3.

Site B also needs internet access (PAT):

PAT

! NAT configuration for internet traffic using PAT

ip nat inside source route-map nat-internet interface fastethernet4 overlaoad

route-map nat-intenet permit 20
match address 190

access-list 190 permit ip 10.10.10.0 0.0.0.255 any
This ACL permits traffic from all hosts in siteB going to any destination on the Internet.


Note: we used two ACL's with 190  for internet  than the 101 ACL for destination network-VPN-NAT.
If you have any queriess please follow the link:
https://supportforums.cisco.com/docs/DOC-5061

Site B also needs internet access (PAT):

4. Crypto-ACL:

the crypto ACL for the S2S VPN b/w Site A and SiteB will be

SiteB

access-list 279 permit ip 172.16.191.0 0.0.0.255 192.168.10.0 0.0.0.255

SiteA

access-list 340 permit ip 192.168.10.0 0.0.0.255 172.16.191.0 0.0.0.255

and the rest you know, how to proceed on

Hope this helps you and meet your requirements:

Please rate the helpful posts

Regards,

srikanth

This is essentially what I have in place now. And it works for everything except traffic that originates on the 192.168.10.x network that needs to be sent to the remote site (10.10.10.x or whatever it's natted to). Your configuration allows only traffic originating on the 10.10.10.x network to be sent to 192.168.10.x. It does not allow traffic to originate on the 192.168.10.x and go to the remote site. That is the part that there seems to be absolutely no solution for. I need 192.168.10.x to be able to originate traffic to ANY machine on the 10.10.10.x network, but it must use a different subnet address than 10.10.10.x (in other words I need to nat the DESTINATION).

I guess you have already applied "ip nat translations timeout never"

Match-host in nat:

when a translation is first made an ip is mapped to addresses which is selected with matching host portions. While a pool address is mapped to an address in the NAT table, it cannot be mapped to any other address and the return way it should work  the same with ip map as the entry is already there in nat table .

if there is nat entry in Nat table as below in SiteB:

10.10.10.1 mapped to 172.16.191.1  --->VPn-Outbound to siteA

Lets say, when the traffic originated from siteA --> destination as 172.16.191.1 it should re-translate to 10.10.10.1 --> which should work like a static nat.

Kindly try this and update me with the

post sh ip nat translation --->for VPN outbound traffic

Note: The above is not a recommended and reliable setup other static entries for each host. the above is just a trial method.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: