NATing vpn traffic differently from internet traffic - Page 2

rfera · ‎09-19-2012

Hello,

I have a remote site to which I must create a site-to-site IPsec VPN. The remote site has a Cisco 800-series router and has a private subnet that overlaps a local subnet (thus the VPN traffic must be "static network" NATed). The 800 also acts as the remote site's firewall, so it is performing PAT on their internet traffic. I know how to exempt VPN traffic from the internet PAT by using a route map. However, I also must perform a static network nat on all traffic going through the tunnel. However, "ip nat source static network ....." does not support any route-maps or access-lists. It appears to be just a gigantic sledgehammer that overrides all other IP NAT commands. I know this type of NATing can be done on an ASA, but I need it on IOS.

ip access-list extended aclNAT

deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.255.255 ! the traffic going through the VPN denied for PAT

permit ip 192.168.10.0 0.0.0.255 any ! all other traffic destined for internet

ip access-list extended aclVPNNAT

permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.255.255 ! the traffic going through the VPN

route-map NATMap permit 10

match ip address aclNAT

route-map VPNNATMap permit 10

match ip address aclVPNNAT

i

ip nat source route-map VPNNATMap static network 192.168.10.0 192.168.200.0 /24 ! What I'd like to do but can't...

ip nat source route-map NATMap interface FastEthernet4 overload

Is there some other approach I can use to accomplish this? (There must be something -- it just doesn't seem like a very obscure problem.) I have been reading about VTI's and VRF's, wondering if some of those technologies might help, and my head is spinning. Any hints that would point me towards a solution would be appreciated.

Thanks,

Bob

rfera · ‎09-27-2012

I have "ip nat translation timeout never" set. The Dynamic translations are lasting maybe 30 seconds before they disappear from "show ip nat trans". While the translation is still there, I tried a ping from the site b (192.168.10.x) host back to the host that created the dynamic translation. The ping was not nated, and thus failed. In other words, no change.

And from your last comment, it sounds to me like what I need to do (and which seems like a totally normal thing) is in fact impossible.

srikanth ath · ‎09-27-2012

In simple Yes.........

The Dynamic itself mean that you are mapping an ip from a pool of Ip's..

Static or One to one nat is the only way to have a bi-directional communication as you require here.

Please rate the helpful posts mate...

Regards,

srikanth

rfera · ‎09-27-2012

Any thoughts on why my "NAT on a stick"idea (sending the inbound VPN traffic out a Loopback interface configured as an outside interface with "ip nat outside source static network...") wouldn't work? It seems like a perfect, if a bit awkwoard, solution. I still don't understand why the router won't apply the "reverse" of my "ip nat outside...." command and nat the destination traffic coming out the loopback interface....

srikanth ath · ‎09-30-2012

All right below is the NAT on a STICK config.

Note: even here we are using the Dynamic Nat for Inbound and Outbund VPN traffic from SiteB to SIteA. which doesnt meet our requirement anyhow please look at the config below which answers your query.

Nat on stick:

int loopback 0
ip address 10.10.11.1 255.255.255.0
ip nat outside

int eth0
ip address x.x.x.x x.x.x.x
ip nat outside
no ip redirects
ip policy route-map nat-ip-VPN

int eth1
ip address 10.10.10.1 255.255.255.0
ip nat inside

route-map nat-ip-VPN permit 10
match address 101
set interface loopback0

acces-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.254 192.168.10.0 0.0.0.255

Note: Packets are verified in sequence of route-map, routes and then Nat's.

If any packets that matches the ACL 101, is route-mapped to Loopback interface 0 where the natting is defined.

2.

ip nat pool natted-pool-siteA 172.16.191.1 172.16.191.254 prefix-lenght 24 type match-host

access-list 101 permit ip 192.168.10.0 0.0.0.255 10.10.10.10.0 0.0.0.255

ip nat outside source route-map nat-ip-VPN pool natted-pool-siteA

Creates a translation so packets received on the outside interface
!--- with a source address of 192.168.10.0 will have their source address
!--- translated to 172.16.191.0. Note: This implies that packets received on
!--- the inside interface with a destination address of 192.168.10.0 will
!--- have the destination translated to 172.16.191.0/24.

Please follow this link with good example from cisco: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

3. PAT

PAT

! NAT configuration for internet traffic using PAT

ip nat inside source route-map nat-internet interface fastethernet4 overlaoad

route-map nat-ip-VPN permit 110 ---> route-map sequence number higher than the nat-ip-VPN
match address 190

access-list 190 permit ip 10.10.10.0 0.0.0.254 any
This ACL permits traffic from all hosts in siteB going to any destination on the Internet.

Hope i have answered all your queries

Please rate the helpfull posts,

Regards,

srikanth

rfera · ‎10-01-2012

Yes, but it still does not answer my last question:

Why does policy routing the inbound VPN traffic out a Loopback interface configured as an outside interface with "ip nat outside source static network..." not NAT the destination address of the packets? What is preventing this from working? It's an "outside static" translation, the loopback interface is an "outside" interface, the traffic is going "out" that interface, so its destination address should be NATed according to every piece of documentation I can find.

rfera · ‎10-30-2012

OK I opened a TAC case on this subject and I wanted to share our findings. Yes it is possible though not entirely convenient.

Assumptions:

Remote/satellite office has a subnet of 10.10.10.0/24. Main Office has a subnet of 192.168.10.0/24. Because of an IP overlap, we must NAT the Satellite office's network to 10.10.20.0/24.

Here is the solution provided (in the words of my helpful support engineer):

------------------------------

--We first defined a pool of IP's over which the local LAN subnet will be translated to in case if it needs to communicate to Office Site(192.168.10.0/24) over the VPN tunnel.

ip nat pool VPN_NAT 10.10.20.1 10.10.20.254 netmask 255.255.255.0 type match-host

--We then created an ACL for the flow of traffic which is initiated from the LAN subnet and is destined for the Office site subnet, so that no traffic destined for internet should be NAT'ed to the local pool.

ip access-list extended NAT_VPN

permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255

--We then integrate the pool and ACL and configured the below NAT statement which is used to NAT the IP's matched in the route-map nonat in which the ACL NAT_VPN will be matched and then is NAT'd on the local pool VPN_NAT. The reversible keyword will place a static entry after first packet is been initiated from the inside to outside so that after that dynamic NAT translation entry timed out, then also the traffic should be allowed which has been initiated from the outside to the inside.

ip nat inside source route-map nonat pool VPN_NAT reversible

--Since you have few devices(i.e printers) which cannot initiate a traffic from the inside to the outside and creates a static translation for itself in the translation table hence we configure the below static NAT statement so that it should create a static NAT statement in the translation table for the traffic initiated from the outside to inside. In addition to that we have configured a route-map so that it will only permit the traffic with a flow sourcing from LAN subnet going to the destination address(192.168.10.0/24) at Office site over the VPN.

ip nat inside source static 10,10.10.3 10.10.20.3 route-map nonat reversible

--------------------------------------------------------

The last step is the inconvenient one, in that we have to identify all machines on the Satellite network who will communicate with the Main Office but will not initiate that communication (e.g. printers and servers) and create static NAT entries for each of them. This statement does allow us to use the same route-map used by the other VPN traffic so internet traffic to/from these systems works properly.

So, the complete (relevant) config is as follows:

interface FastEthernet4

desc PUBLIC WAN INTERFACE

ip address 10.3.1.2 255.255.255.0

ip nat outside

ip inspect Firewall out

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

crypto map VpnMap

!

interface Vlan1

description PRIVATE LAN INTERFACE

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1452

ip nat translation timeout never

ip nat pool VPN_NAT 10.10.20.1 10.10.20.254 netmask 255.255.255.0 type match-host

ip nat inside source route-map PrimaryNat interface FastEthernet4 overload

ip nat inside source route-map nonat pool VPN_NAT reversible

ip nat inside source static 10.10.10.3 10.10.20.3 route-map nonat

ip access-list extended NAT_VPN

permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended aclNatOverload

deny ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

route-map PrimaryNat permit 10

match ip address aclNatOverload

route-map nonat permit 10

match ip address NAT_VPN

Again, not completely optimal, but better than nothing, and it seems to work in my little, informal lab environment. Hope it helps anyone out there who has run into this situation...

Bob