Solved: Re: Site to Site IPSec Tunnel and NAT

Michael_CE · ‎08-31-2020

Hello all

For remote support possibility by a service provider we need to have a Site to Site IPSec Tunnel to them, as this is the only VPN type they offer.

This tunnel is working so far.

Now the problem:

Because i can't change the network configuration of the devices in the target network (not configure routes or a default gateway on them), the only solution is to use NAT.

This is working fine with a L2TP IPSec "dialin" type of VPN as there I have a interface Virtual-Template1 which i can configure as nat inside.

The target network interface Vlan1 is configured as nat outside.

Then a:

ip nat inside source list ACL-NAT interface Vlan1 overload

With this i have communication to the devices in the target network working perfectly fine if connected through the L2TP IPSec VPN.

But with the Site to Site IPSec tunnel there is no interface which I can set as nat inside.

Is there any way to use NAT in combination with a Site to Site IPSec tunnel?

Thank you in advance.

Kind regards

Michael

ngkin2010 · ‎08-31-2020

Hi,

Unlike with the L2TP IPSec VPN, with the Site to Site IPSec Tunnel i not get any extra (virtual or tunnel) interface.

It's about the order of operation, NAT is performed after IPSec decryption. Which mean when the IPSec encapsulated packet arrived on your WAN interface (e.g. GigabitEthernet8), it will first be decrypted (source: 192.168.80.x, destination: 10.20.60.x). Then, it will performed NAT (source: 192.168.80.x -> [overload NAT] 10.20.60.12; destination: 10.20.60.x).

Vice-versa, when the return packet is arrived on LAN interface, NAT is performed before IPSec encryption. which mean the packet (source 10.20.60.x, destination: 10.20.60.12) will translate to (source: 10.20.60.x, destination: 192.168.80.x). According to routing table, it should exit out WAN interface (Gig8). IPSec encryption is then performed if (source: 10.20.60.x, destination: 192.168.80.x) hit the crypto map condition.

So, if it's well configured, it should work as expected.

Your configuration look good to me except the interface Gig8.

interface GigabitEthernet8
ip address x.x.x.x 255.255.255.248
ip access-group ACLWAN in
duplex auto
speed auto
no cdp enable
crypto map CRYP_MAP
ip nat inside

Do you have 'ip nat inside' configured on Gig8?

View solution in original post

Rob Ingram · ‎08-31-2020

Hi,

This VPN is on a IOS router? You can NAT overload behind the interface the VPN is established on.

Michael_CE · ‎08-31-2020

Hello Rob

Yes, it is IOS.

To which interface?

Unlike with the L2TP IPSec VPN, with the Site to Site IPSec Tunnel i not get any extra (virtual or tunnel) interface.

Rob Ingram · ‎08-31-2020

When using a Policy based VPN traffic still needs to be routed out of the interface you are establishing a VPN tunnel on, so when using NAT, overload on the outbound interface.

Michael_CE · ‎08-31-2020

Hello Rob

For the Site to Site IPSec Tunnel case just 2 interfaces are involved.

WAN Interface connected to public internet which have the crypto map assigned:

interface GigabitEthernet8
ip address x.x.x.x 255.255.255.248
ip access-group ACLWAN in
duplex auto
speed auto
no cdp enable
crypto map CRYP_MAP

LAN Interface connected to target network: (where i can not set a default gateway on the devices, therefore NAT must be used)

interface Vlan1
ip address 10.20.60.12 255.255.254.0
ip nat outside
ip virtual-reassembly in

nat config set:

ip nat inside source list ACL-NAT interface Vlan1 overload

ip access-list standard ACL-NAT
permit a.a.a.a 0.0.0.15
permit 192.168.80.0 0.0.0.15

192.168.80.0 = subnet used by the remote end of the Site to Site IPSec Tunnel

----

#show crypto ipsec sa

interface: GigabitEthernet8
Crypto map tag: CRYP_MAP, local addr x.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (10.20.60.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.80.0/255.255.255.240/0/0)

----

Can you please point me to where i exactly have to add what so that NAT will be used if someone from the remote end of the site to site VPN tunnel want connect to a device in the 10.20.60.0 subnet?

ngkin2010 · ‎08-31-2020

Hi,

Unlike with the L2TP IPSec VPN, with the Site to Site IPSec Tunnel i not get any extra (virtual or tunnel) interface.

It's about the order of operation, NAT is performed after IPSec decryption. Which mean when the IPSec encapsulated packet arrived on your WAN interface (e.g. GigabitEthernet8), it will first be decrypted (source: 192.168.80.x, destination: 10.20.60.x). Then, it will performed NAT (source: 192.168.80.x -> [overload NAT] 10.20.60.12; destination: 10.20.60.x).

Vice-versa, when the return packet is arrived on LAN interface, NAT is performed before IPSec encryption. which mean the packet (source 10.20.60.x, destination: 10.20.60.12) will translate to (source: 10.20.60.x, destination: 192.168.80.x). According to routing table, it should exit out WAN interface (Gig8). IPSec encryption is then performed if (source: 10.20.60.x, destination: 192.168.80.x) hit the crypto map condition.

So, if it's well configured, it should work as expected.

Your configuration look good to me except the interface Gig8.

interface GigabitEthernet8
ip address x.x.x.x 255.255.255.248
ip access-group ACLWAN in
duplex auto
speed auto
no cdp enable
crypto map CRYP_MAP
ip nat inside

Do you have 'ip nat inside' configured on Gig8?

Michael_CE · ‎08-31-2020

Hello ngkin2010

I not have a "ip nat inside" configured on the GigabitEthernet8.

I was afraid the set this on that interface because it is connected to the public internet.

So this is no risk in a secuirty point of view?

If not, I will try that.

Thank you,

Michael_CE · ‎09-01-2020

Hello ngkin2010

Add 'ip nat inside' to the interface GigabitEthernet8 solved the problem.

NAT is working now.

Many thanks!

Kind regards

Michael

zjnbxsspjm · ‎07-05-2023

for the return packet, what route should it refer to? route with destination 10.20.60.12 or route with destination 192.168.80.x? As i know , route lookup will take place before NAT for outbound traffic.