Overlapping subnets on IPSEC VPN Tunnels and NAT config

feisalb · ‎05-16-2014

Hello All

I am trying to create a ipsec tunnel between to sites that have overlapping subnets.

This is the data flow that is required:

From my side to them:

10.243.16.0/27	194.74.253.202	Ssh/22, Telnet/23
10.243.16.0/27	194.74.253.212	Sqlnet/1521
10.243.16.0/27	152.114.216.38	http & https/80, 443
10.243.16.0/27	152.114.219.39	http & https/80, 443

DataFlows from Otherside

Source IP	Destination IP	Destination Hostname	Protocol/Port
194.74.253.230	10.243.16.30	SMTP Server	Smtp/25

The overlapping subnet is 10.251.0.0/16 and 10.243.16.0/27 is a unique subnet that I can use to nat to.

Aim is to staticaly translate 10.251.112.30 to 10.243.16.30 and pat other source coming from 10.251.0.0/16 to 10.243.16.1 as the other side of

The ipsec tunnel has overlapping subnet of 10.251.x.x.

Below is my proposed config. Will this work?

Interesting traffic for patted addresses

ip access-list extended VPNPATACL-16AUTO_DCI_4

permit tcp 10.251.0.0 0.0.255.255 host 194.74.253.202 eq 22

permit tcp 10.251.0.0 0.0.255.255 host 194.74.253.202 eq telnet

permit tcp 10.251.0.0 0.0.255.255 host 194.74.253.212 eq 1521

permit tcp 10.251.0.0 0.0.255.255 host 152.114.216.38 eq www

permit tcp 10.251.0.0 0.0.255.255 host 152.114.216.38 eq 443

permit tcp 10.251.0.0 0.0.255.255 host 152.114.216.39 eq www

permit tcp 10.251.0.0 0.0.255.255 host 152.114.216.39 eq 443

Interesting traffic for static nat address

ip access-list extended VPNNATACL-16AUTO_DCI_4

permit ip host 10.251.112.51 host 194.74.253.230

Pool for pat overload. 10.251.0.0/16 is patted to a single address 10.243.16.1

ip nat pool VPNPAT_16AUTO_POOL 10.243.16.1 10.243.16.1 prefix-length 27

Route-map for the static nat acl

route-map toNORTHGATE-AUTO16 permit 10

match ip address VPNNATACL-16AUTO_DCI_4

NAT Statements

ip nat inside source list VPNPATACL-16AUTO_DCI_4 pool VPNPAT_16AUTO_POOL vrf 16AUTO_DCI overload

ip nat inside source static 10.251.112.51 10.243.16.30 vrf 16AUTO_DCI route-map toNORTHGATE-AUTO16

nat inside and nat outside on the relevant interfaces.

Note the other remote side will initiate connection to 10.243.16.30 (10.251.112.51 local ) from source194.74.253.230 so will this static work or will I need to

Reverse the acl VPNNATACL-16AUTO_DCI_4????

Encryption domain for ipsec

ip access-list extended VPNACL-16AUTO_DCI_4

permit tcp 10.243.0.0 0.0.31.255 host 194.74.253.202 eq 22

permit tcp 10.243.0.0 0.0.31.255 host 194.74.253.202 eq telnet

permit tcp 10.243.0.0 0.0.31.255 host 194.74.253.212 eq 1521

permit tcp 10.243.0.0 0.0.31.255 host 152.114.216.38 eq www

permit tcp 10.243.0.0 0.0.31.255 host 152.114.216.38 eq 443

permit tcp 10.243.0.0 0.0.31.255 host 152.114.219.39 eq www

permit tcp 10.243.0.0 0.0.31.255 host 152.114.219.39 eq 443

permit tcp host 10.243.16.30 eq smtp host 194.74.253.230

Thanks

Feisal

feisalb · ‎05-16-2014

Should the interesting traffic acl for the static be

ip access-list extended VPNNATACL-16AUTO_DCI_4

permit ip host 10.251.112.51 host 194.74.253.230

permit ip host 194.74.253.230 host 10.243.16.30 <-- remote end initiates the traffic to 10.243.16.30 that is

feisalb · ‎05-16-2014

I think I might need to get rid of the route map at the end of the static so traffic destined for 10.243.16.30 will get natted to 10.251.112.51 and this will not affect other ipsec tunnel as they will never have 10.243.16.x as part of there encryption domain.