Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1509
Views
15
Helpful
4
Replies

VPN with internet NAT and subnet NAT

Go to solution
impi
Level 1
Level 1

‎01-28-2022 12:51 AM - edited ‎01-28-2022 02:47 AM

Hi,

 

we are banging our head on a problem that seems simple

 

Let me explain the problem :

 

VPN Between ASA (192.168.199.0 and 192.168.214.0) and Cisco 800 (192.168.1.0)

On the ASA the networks 192.168.1.0 exists for another VPN, then we have to NAT on Cisco 800 the network 192.168.1.0 to  192.168.213.0. It should not be a problem.

On cisco 800 we also need NAT (in fact PAT) to access the internet. Again it should not be a problem.

 

But we can't manage to make them work at the same time.

 

Here are revelant part on the conf :

 

 

ip nat pool natvpn 192.168.213.1 192.168.213.254 netmask 255.255.255.0 type match-host (a pool for our VPN NAT)

...

ip nat inside source list 110 interface Vlan2 overload (PAT for internet access)
ip nat inside source list 112 pool natvpn (NAT for the VPN)

...

access-list 110 remark PAT Inside (ACL for internet access, not sure first two lines are useful)
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.214.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 110 deny ip 192.168.213.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 110 deny ip 192.168.213.0 0.0.0.255 192.168.214.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any

...

access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.214.0 0.0.0.255 (acl for VPN NAT)
access-list 112 permit ip 192.168.1.0 0.0.0.255 192.168.199.0 0.0.0.255

 

If i only put the first NAT statement (110), i can ping internet, no problems. Obviously VPN not working.

If i put the second NAT statement (112), VPN is ok, but not internet.

If i do a "sh ip nat translation" i can see it is also natting 1->213 even for internet !

 

Maybe i miss something obvious, but what ?

 

Thanks for help

 

Cedric

 

 

 

 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎01-28-2022 06:26 AM

I thinking use 
loopback and NAT all LAN to Loopback when the traffic send via the IPSec Tunnel,
PAT to public IP when traffic send via internet. 
use PBR and use NAT NVI.

but this solution need do lab first and check if it work. 
best solution change the LAN subnet to not overlap with any other subnet in ASA.

View solution in original post

Go to solution
impi
Level 1
Level 1

‎01-28-2022 07:41 AM - edited ‎01-28-2022 07:48 AM

Really many thanks, it now work, with a real 1 to 1 ip (the 192.168.1.xxx wil be translated to 192.168.213.xxx)

 

For the one that will come after me, here is what i did :

 

interface Loopback213  (I guess that was the thing that missed the most, an interface were the NAT could apply)
 ip address 192.168.213.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in

then the  NAT by itself :

ip nat pool natvpn 192.168.213.1 192.168.213.254 netmask 255.255.255.0 type match-host (match host is for having the "same number at the end of the IP")
ip nat inside source route-map NAT-VPN pool natvpn
ip nat inside source route-map PAT_inside interface Vlan2 overload

And also the 2 route-map and ACL, the same that in the beginning of the post

 

Really happy, many thanks for these valuable help

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
impi
Level 1
Level 1

‎01-28-2022 05:05 AM - edited ‎01-28-2022 05:07 AM

Just some things to add to help you help me

 

I managed to make it work but not in a satisfactory way :

 

 

ip nat inside source route-map PAT_inside interface Vlan2 overload
ip nat inside source static 192.168.1.100 192.168.213.100 route-map NAT-VPN


route-map PAT_inside permit 1
match ip address 110
!
route-map NAT-VPN permit 1
match ip address 112

With that i can both ping internent and ONE machine on the other network

It means that i'll have to add 250+ lines ? It seems crazy.

I can add a "network" statement juste after "static" but then there is no route-map action...

 

You understand why i'm banging my head

 

Go to solution
MHM Cisco World
VIP
VIP

‎01-28-2022 06:26 AM

I thinking use 
loopback and NAT all LAN to Loopback when the traffic send via the IPSec Tunnel,
PAT to public IP when traffic send via internet. 
use PBR and use NAT NVI.

but this solution need do lab first and check if it work. 
best solution change the LAN subnet to not overlap with any other subnet in ASA.

Go to solution
impi
Level 1
Level 1

‎01-28-2022 07:06 AM - edited ‎01-28-2022 07:12 AM

Hi and thanks for all these ideas

I'll try that and come back

 

Do not worry, i have a lab with 3 routers : one for each site, one for "internet" with a loopbak ip of 8.8.8.8 to simulate an external access, then i can do as many tests as i want.

I already heard about NVI, but never went into !

 

Have a nice day

0 Helpful

Go to solution
impi
Level 1
Level 1

‎01-28-2022 07:41 AM - edited ‎01-28-2022 07:48 AM

Really many thanks, it now work, with a real 1 to 1 ip (the 192.168.1.xxx wil be translated to 192.168.213.xxx)

 

For the one that will come after me, here is what i did :

 

interface Loopback213  (I guess that was the thing that missed the most, an interface were the NAT could apply)
 ip address 192.168.213.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in

then the  NAT by itself :

ip nat pool natvpn 192.168.213.1 192.168.213.254 netmask 255.255.255.0 type match-host (match host is for having the "same number at the end of the IP")
ip nat inside source route-map NAT-VPN pool natvpn
ip nat inside source route-map PAT_inside interface Vlan2 overload

And also the 2 route-map and ACL, the same that in the beginning of the post

 

Really happy, many thanks for these valuable help

 

0 Helpful
Customers Also Viewed These Support Documents