static NAT with IPSec tunnel. NAT (inside) 0

mpdavies · ‎05-07-2003

Hello,

I have configured an ipsec tunnel between two sites, as the one ipsec endpoint I have a PIX and at the other an IOS router with VPN and firewall.

The IPSec tunnel is used between each site but I also need external access to devices behind the repective firewalls FROM the internet.

Devices behind the PIX:

The device has a static natt address used for internet access. I have a firewall rule that allows certain internet origionated traffic through to my hosts natted address. I can also communicate to and from my device through the ipsec tunnel. This traffic is defined as 'NAT (inside) 0' not NATing the traffic, just passing the traffic through from one private network to the other via the tunnel.

Devices behind the IOS router.

Here I find that if I give my host an static nat address, I can accesss the host from the internet and the internet from the host. but i cannot access the other site via the VPN tunnel. it appears that the host address is being NATted before it tries the tunnel and fails because the access-list defining interesting traffic for encryption uses standard private network ranges i.e.

access-list 102 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255

My question is how do I avoid NATting the hosts address behind the IOS router when the traffic is destined for the ipsec tunnel,

Or what is the eqivilant IOS command of NAT (inside) 0

any help would be greatly appreciated.

d-garnett · ‎05-07-2003

if you are using lan2lan/crypto maps vpn between the router and PIX:

define the traffic in the access-list and reference it in the crypto map

^

crypto map whatever-name

match address 102

^

interface e0 (or whatever your outside int is)

crypto map whatever-name

^

access-list 102 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255

^

ip route 0.0.0.0 0.0.0.0 isp-rtr-ip (or e0 - outside int)

^

#deny nat for the protected traffic and permit for any other destination

access-list 103 deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255

access-list 103 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 103 interface e0 overload (for PAT, or 'pool' if nat)

^

but

if you are running ezvpn client on the router:

simply configure split-tunneling on the PIX for that vpngroup

sshannon · ‎05-08-2003

The problem lies with the static NAT process occuring no matter what the crypto acls define. To get around this you can use policy routing to identify the traffic from the devices with static NATs which need to traverse the VPN and redirect it via a loopback interface that is not participating in the NAT process. This has worked for me in the past. The link below provides good guidelines for implementing this:

http://www.cisco.com/warp/public/707/static.html

mpdavies · ‎05-16-2003

Thanks very much.

This has resoved the issue.

charbeltous · ‎05-15-2003

The easy way you can solve that problem for the IOS router is to create another ACL . I've done and it work fine.

Example

172.16.1.0 is the network address of hosts behin the IOS Router

192.168.10.0 is the network address of hosts behin the PIX Firewall

access-list 115 deny ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 115 permit ip 172.16.1.0 0.0.0.255 any

This will work fine.

TMM