09-19-2012 11:57 AM
Hello,
I have a remote site to which I must create a site-to-site IPsec VPN. The remote site has a Cisco 800-series router and has a private subnet that overlaps a local subnet (thus the VPN traffic must be "static network" NATed). The 800 also acts as the remote site's firewall, so it is performing PAT on their internet traffic. I know how to exempt VPN traffic from the internet PAT by using a route map. However, I also must perform a static network nat on all traffic going through the tunnel. However, "ip nat source static network ....." does not support any route-maps or access-lists. It appears to be just a gigantic sledgehammer that overrides all other IP NAT commands. I know this type of NATing can be done on an ASA, but I need it on IOS.
ip access-list extended aclNAT
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.255.255 ! the traffic going through the VPN denied for PAT
permit ip 192.168.10.0 0.0.0.255 any ! all other traffic destined for internet
ip access-list extended aclVPNNAT
permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.255.255 ! the traffic going through the VPN
route-map NATMap permit 10
match ip address aclNAT
route-map VPNNATMap permit 10
match ip address aclVPNNAT
i
ip nat source route-map VPNNATMap static network 192.168.10.0 192.168.200.0 /24 ! What I'd like to do but can't...
ip nat source route-map NATMap interface FastEthernet4 overload
Is there some other approach I can use to accomplish this? (There must be something -- it just doesn't seem like a very obscure problem.) I have been reading about VTI's and VRF's, wondering if some of those technologies might help, and my head is spinning. Any hints that would point me towards a solution would be appreciated.
Thanks,
Bob
09-20-2012 03:04 AM
Hello Bob,
When you have an overlap of private subnets between two sites, you should configure nat to private to private subnets
please configure a static nat as:
outbound:
ip nat insiede source static network 192.168.1.0 10.10.10.0 /24
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit the ACL to Crypto Map:
Note: the interesting traffic for the second site would be desitined as 10.10.10.0/24
please follow the link below which can you help you out for your scenario:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
09-20-2012 07:59 AM
CLear understanding the NAT processing Order in IOS will solve this problem easily..
Below given link will help you on this..
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
"A good rating is as good or even better than a thank you, remember to rate the helpful posts "
09-20-2012 09:06 AM
Thank you both for the replies. I've read all these articles, but I don't see how they solve my problem. I know how to NAT the VPN traffic in case of an IP address overlap, as long as the router is managing only the VPN. Using IP NAT SOURCE STATIC NETWORK works perfectly in that case. The issue is that I also need to provide internet access via the same router, using PAT (overloading the public WAN interface). I cannot find a way to STATIC NETWORK NAT only the traffic destined for the VPN tunnel and then PAT the normal internet traffic (becaue STATIC NETWORK NAT doesn't provide any way to select the traffic it applies to; it just nails everything, and all other NAT rules are ignored).
This is taken from one of the articles provided. In the comment it says that "this translation is used for BOTH VPN and internet traffic". This is NOT what I need. I need this translation to be applied ONLY to the VPN traffic. If that isn't possible, then the internet traffic must apparently be NATed twice (as implied by the comments), and I must be able to do that all within one router, but how?
ip nat inside source static network 192.168.1.0 10.5.5.0 /24
!--- Static translation defined to translate Private_LAN1
!--- from 192.168.1.0/24 to 10.5.5.0/24.
!--- Note that this translation is used for both
!--- VPN and Internet traffic from Private_LAN1.
!--- A routable global IP address range, or an extra NAT
!--- at the ISP router (in front of Site_A router), is
!--- required if Private_LAN1 also needs internal access.
09-20-2012 10:45 PM
Hello Robert,
1st thing
how many ISP points you have at your Side(1 or >1).
do you want to use the single ISP point, to do the VPN'in as well as providing the internet access to inside users. or route the traffic seperately (Internet isp1 and VPNin isp2).
Let us know your requirement, where TAC can help you out.
Regards
srikanth
09-21-2012 09:37 AM
Hi Srikanth,
At this point let's consider there to be one ISP. Internet traffic needs to be PATed ("overload" the public interface address), site-to-site vpn traffic needs network NAT.
Yesterday I tried using a "match-host" NAT Pool for the vpn traffic (allowing me to select the NAT traffic with a route-map), which worked for outbound traffic (and its return packets), but traffic originated from the other end did not work (clearly because of the dynamic NAT). I've been messing with a mixture of NVI and "inside/outside" configurations with a loopback interface trying to get the inbound destination address to NAT, but have not had any success.(Actually it DID work for about 10 ping packets (without my changing anything), then it stopped again (also without my changing anything). I cannot figure out why.)
This just doesn't seem like such an odd situation. Can't believe it's this hard to do.
Regards,
Bob
09-24-2012 12:31 AM
Hello Bob
If you want to allow an IP accessable from outside/otherside of VPN then, you need to have static Nat
example: if you have two servers and rest are the users. create a static nat for servers and allocate a nat pool for the users as like below example.
ip nat inside source static 192.168.1.1 10.5.5.1
ip nat inside source static 192.168.1.2 10.5.5.2
Users Pool:
Example1:
Ip nat pool pool-VPN-Sitea 192.168.1.10 192.168.1.254 prefix-lenght 24
Ip nat pool pool-VPN-Siteb 10.5.5.10 10.5.5.254 prefix-lenght 24
ip nat inside source pool pool-VPN-sitea pool Pool-VPN-siteB
or
Example2:
above you can add route map for natting based on destination , but be carefull in giving an wildcard mask for an ACL.
access-list 101 permit ip 192.168.1.0 0.0.0.31 10.5.5.0 0.0.0.31
route -map SiteA-SiteB-VPN permit 10
match address 101
IP nat inside source route-map siteA-SiteB-VPN pool pool-VPN-Siteb
Ip nat pool pool-VPN-Siteb 10.5.5.1 10.5.5.31 prefix-lenght 24
Please follow the below Link for nat pool desceription:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Hope this helps you,
Kindly, Please rate the helpfull posts.
Regards,
srikanth
09-24-2012 11:24 AM
Hello,
Thanks for the reply. I see where you're going here, but unfortunately, statically NATing individual systems will be highly impractical in the case I'm facing (I'd have to make static NAT entries for every machine on the network). I really need to statically NAT the entire network's traffic passing through the VPN.
Using a "match-host" pool works perfectly for outbound VPN traffic.
I've been experimenting with a "NAT on a stick" type of setup to translate the destination address of inbound VPN traffic, but it's not working as I expected -- the incoming traffic is sent to the Loopback interface but it is not NATed when it exits.
! Configured as "outside" to work with "ip nat outside source..." so that traffic being sent out the Loopback interface will have its destination address translated. This is what is not working. (Actually it seemed to work for a few packets for an unknown reason, then it stopped again -- no config changes were made other than turning debug on/off.)
interface loopback0
ip address 10.10.30.1 255.255.255.0
ip nat outside
! Public/outside interface. Internet (PAT) traffic uses NVI.
interface FastEthernet4
ip address 10.3.1.2 255.255.255.0
ip nat enable
ip inspect Firewall out
crypto map VpnMap
! Private/internal interface (again using NVI)
interface vlan1
ip address 10.10.10.1 255.255.255.0
ip nat enable
! Pool used by outbound VPN traffic. Translates outbound source address from 10.10.10.x to 10.10.20.x
ip nat pool VpnPool 10.10.20.1 10.10.20.254 prefix-length 24 type match-host
! NAT configuration for internet traffic using PAT
ip nat source route-map PrimaryNat interface FastEthernet4 overload
! Select outbound VPN traffic for "match-host" pool translation
ip nat source route-map VpnNat pool VpnPool
! Static network NAT for traffic coming inbound on the tunnel. It's destination of 10.10.20.x must be
! translated to 10.10.10.x. This translation will happen as the decrypted traffic exits the loopback interface (again
! this is not working).
ip nat outside source static network 10.10.10.0 10.10.20.0 /24
! Select traffic going to the internet (exclude VPN traffic)
ip access-list extended aclNatOverload
deny ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.225 any
! Select traffic going out through the tunnel that needs to be translated using the "match-host" pool
ip access-list extended aclNatVpn
permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
! Select NATed traffic for the crypto map
ip access-list extended aclVPN
permit ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255
! Select decrypted traffic coming in on the tunnel to be sent to the Loopback interface. The idea is that when traffic
! exits L0 its destination will translate from 10.10.20.x to 10.10.10.x.
ip access-list extended aclVpnReturn
permit ip 192.168.10.0 0.0.0.255 10.10.20.0 0.0.0.255
route-map VpnReturnToiNat permit 10
match ip address acl VpnReturn
set interface Loopback0
route-map VpnNat permit 10
match ip address aclNatVpn
route-map PrimaryNat permit 10
match ip address aclNatOverload
route-map VpnNatReturn permit 10
match ip address aclVpnReturn
Thanks,
Bob
09-24-2012 11:34 PM
Hello Bob
Using match-host in nat: By default, the dynamic entries are held in the NAT table for 86,400 seconds (24 hours).
If you use 0 seconds or the keyword never with the ip nat translation timeout command, the mapping is never removed from the NAT table, when a translation is first made an ip is mapped to addresses which is selected with matching host portions. While a pool address is mapped to an address in the NAT table, it cannot be mapped to any other address. So kindly change the default translation timeout to zero.
# ip nat translation timeout never
OR
# ip nat translation timeout 0
PFB, doc which explains on Nat traslations:
http://www.ciscopress.com/articles/article.asp?p=25273&seqNum=4
Note: above is not a preferable to option other than static nat translations, but this would solve your concerns.
2.
! NAT configuration for internet traffic using PAT
ip nat source route-map PrimaryNat interface FastEthernet4 overload
! Select outbound VPN traffic for "match-host" pool translation
ip nat source route-map VpnNat pool VpnPool
NVI interfaces doesn’t support the route-maps and SNAT, definitely there is an NAT issue
Follow the documentation for the NVI setup. And make changes accordingly as i think you should go without NVI as to nat the traffic based on the destination that can be acheived by route-maps.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html
Note: As I noticed in your config, In Route-map’s you cannot give a same sequence number for map set up.
3.
! Inbound traffic on the tunnel: please change to
No ip nat outside source static network 10.10.10.0 10.10.20.0 /24
ip nat outside source static network 10.10.10.0 10.10.30.0/24
if you still have isssues here, please remove ip nat outside statement under loopback as i think you dont require here.
and the above should do for you.Let us know if you have any issues.
Please rate the helpful posts,
Regards
Srikanth
09-25-2012 10:02 AM
OK, I made all the changes you suggested (I think)...
ip nat translation timeout never
I removed all NVI configuration and replaced with inside/outside (of course that doesn't address the question that IOS allowed me to use a route-map with NVI, and it in fact worked)
! NAT configuration for internet traffic using PAT
ip nat inside source route-map PrimaryNat interface FastEthernet4 overload
! Select outbound VPN traffic for "match-host" pool translation
ip nat inside source route-map VpnNat pool VpnPool
interface vlan1
no ip nat enable
ip nat inside
interface f4
no ip nat enable
ip nat outside
So far none of this has made any difference at all. The destination address of inbound VPN traffic is still not being nated from 10.10.20.x to 10.10.10.x.
I also tried making the change you mentioned in (3) (no effect either), but this makes no sense to me. 10.10.30.x is just an address I made up for the loopback interface. Nothing is ever addressed to it, and that network is never used by anything.
So, if,on Loopback0 I have:
ip nat outside
... and I have
ip nat outside source static network 10.10.10.0 10.10.20.0 /24
and a packet destined for 10.10.20.x gets routed out loopback0, why does it not translate the 10.10.20.x to 10.10.10.x?
And now that I have also added an "ip nat outside" to f4 (the real outside interface), won't that confuse things when it tries to apply the static network nat? Although it never seems to try to apply it, no matter what I do...
Thanks,
Bob
09-25-2012 11:04 PM
Hello Bob,
can the site B translate the inside source address to any other subnet.as so we dont require to enable nat at outside.
example:
sitea: 10.10.10.1 255.255.255.0 translates to 10.10.20.0 255.255.255.0
stie b: 10.10.10.0 255.255.255.0 translates to 10.10.30.0 255.255.255.0
and the same natted subnet would be in the crypto-acl.
09-26-2012 11:32 AM
No, that won't work in this case. Consider this example:
Site A's subnet is 192.168.10.0/24. It is a corporate datacenter with site-to-site vpns to over 50 remote offices.
Site B's subnet is 10.10.10.0/24 and needs to communicate to site A.
Site A already has a VPN to another remote office that is numbered 10.10.10.0/24. (Or, in more general terms, Site A simply already has another route to a different 10.10.10.0/24 subnet.) Hence Site A must see all traffic coming from (and going to) Site B as if Site B's LAN is 10.10.20.0/24.
Site B also needs internet access (PAT), using the same IOS router that's acting as its VPN endpoint, hence the need for two-way static network natting on only selected traffic (to/from the VPN) and PAT on all other traffic.
09-26-2012 10:01 PM
If the below is your scenario.
1.
Site A's subnet is 192.168.10.0/24.
Site B's subnet is 10.10.10.0/24
Site A already has a VPN to another remote office that is numbered 10.10.10.0/24
You just need to hide your inside subnet by natting it to another subnet
Note:
a. the natted subnet at siteB shouldnt be overlapped with any inside/outiside-traffic/interesting-traffic of Peer
b. You dont require to nat the inbound VPN traffic at siteB
2.
Outbound VPN-traffic:
ip nat pool natted-pool-siteA 172.16.191.1 172.16.191.254 prefix-lenght 24 type match-host
ip nat inside source route-map nat-ip-VPN pool natted-pool-siteA
! Select outbound VPN traffic for "match-host" pool translation
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
This Access Control List (ACL) permits traffic from all hosts in siteB network destined for the partner network siteA.
route-map nat-ip-VPN permit 10
match address 101
3.
Site B also needs internet access (PAT):
PAT
! NAT configuration for internet traffic using PAT
ip nat inside source route-map nat-internet interface fastethernet4 overlaoad
route-map nat-intenet permit 20
match address 190
access-list 190 permit ip 10.10.10.0 0.0.0.255 any
This ACL permits traffic from all hosts in siteB going to any destination on the Internet.
Note: we used two ACL's with 190 for internet than the 101 ACL for destination network-VPN-NAT.
If you have any queriess please follow the link:
https://supportforums.cisco.com/docs/DOC-5061
Site B also needs internet access (PAT):
4. Crypto-ACL:
the crypto ACL for the S2S VPN b/w Site A and SiteB will be
SiteB
access-list 279 permit ip 172.16.191.0 0.0.0.255 192.168.10.0 0.0.0.255
SiteA
access-list 340 permit ip 192.168.10.0 0.0.0.255 172.16.191.0 0.0.0.255
and the rest you know, how to proceed on
Hope this helps you and meet your requirements:
Please rate the helpful posts
Regards,
srikanth
09-26-2012 10:15 PM
This is essentially what I have in place now. And it works for everything except traffic that originates on the 192.168.10.x network that needs to be sent to the remote site (10.10.10.x or whatever it's natted to). Your configuration allows only traffic originating on the 10.10.10.x network to be sent to 192.168.10.x. It does not allow traffic to originate on the 192.168.10.x and go to the remote site. That is the part that there seems to be absolutely no solution for. I need 192.168.10.x to be able to originate traffic to ANY machine on the 10.10.10.x network, but it must use a different subnet address than 10.10.10.x (in other words I need to nat the DESTINATION).
09-26-2012 10:38 PM
I guess you have already applied "ip nat translations timeout never"
Match-host in nat:
when a translation is first made an ip is mapped to addresses which is selected with matching host portions. While a pool address is mapped to an address in the NAT table, it cannot be mapped to any other address and the return way it should work the same with ip map as the entry is already there in nat table .
if there is nat entry in Nat table as below in SiteB:
10.10.10.1 mapped to 172.16.191.1 --->VPn-Outbound to siteA
Lets say, when the traffic originated from siteA --> destination as 172.16.191.1 it should re-translate to 10.10.10.1 --> which should work like a static nat.
Kindly try this and update me with the
post sh ip nat translation --->for VPN outbound traffic
Note: The above is not a recommended and reliable setup other static entries for each host. the above is just a trial method.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide