cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2221
Views
0
Helpful
8
Replies

VPN with source NAT on Cisco router

teatrodelsogno
Level 1
Level 1

Hi,

one simple question for one configuration on cisco router and VPN with ASA.

I've configured one VPN tunnel correctly between cisco ASA and Cisco router 2800.
VPN is working and (for example), in the tunnel I can reach the router on the "inside" Ip address.
Perfect.

The problem is:
- I need to reach some host behind the router on the same vlan of the router's ip address interface.
- My idea is to source NATTing the IP address in order to NOT modify the routing on the DC network client infrastructure.
  I source nat with on IP on the same subnet of the DC equipments. All device on the same subnet of the LAN router interface

Example configuration:

interface FastEthernet0/0
description INSIDE
ip address 172.20.0.159 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description OUTSIDE
ip address 38.122.122.122 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
!
ip route 0.0.0.0 0.0.0.0 38.122.122.121
!
!
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
!
route-map nonat permit 10
match ip address 111
!
!
access-list 110 remark Interesting traffic access-list
access-list 110 permit ip 172.20.0.0 0.0.0.255 10.164.131.0 0.0.0.255
access-list 110 permit ip 172.20.0.0 0.0.0.255 host 10.164.32.150

access-list 111 remark NAT exemption access-list
access-list 111 deny ip 172.20.0.0 0.0.0.255 10.164.131.0 0.0.0.255
access-list 111 deny ip 172.20.0.0 0.0.0.255 host 10.164.32.150
access-list 111 permit ip 172.20.0.0 0.0.0.255 any
!
!
--------------------------------------------------------------------------------------------------------------------
Packet-flow:
10.164.32.150 -> 172.20.0.80

ASA_10.164.32.150 -> [router2800] -> 172.20.0.80

I would like to:

ASA_10.164.32.150 -> [router2800] ->srcNAT-172.20.0.254 -> 172.20.0.80   ...(and way back obliviusly)

----------------------------------------------------------------------------------------------------------------------
Configuration that is not working that I tried:

ip nat outside source static 10.164.32.150 172.20.0.254

and also

ip nat inside source static 10.164.32.150 172.20.0.254

Without success

-----------------------------------------------------------------------------------------------------------------------

Any suggestion for my needs?


Many regards

8 Replies 8

teatrodelsogno
Level 1
Level 1

Any Suggestion?

regards

Hello!

What version of ASA are you running? post or pre 8.4? according to your flow:

ASA_10.164.32.150 -> [router2800] ->srcNAT-172.20.0.254 -> 172.20.0.80   ...(and way back obliviusly)

How are you routing 10.164.32.150? If I''m reading this right, you are doing the NAT (10.164.32.150 -> 172.20.0.254) on the router. What interfaces are you using? Fa0/0 and Fa0/1? you already have a NAT configured on those interfaces (from inside to outside) you cannot run multiple ones.

What you can do is do a NAT on the ASA and translate 10.164.32.150 to a public IP so the endpoint 172.20.0.80 can route back using default routing.

10.164.32.150-> [ASA] -> (5.5.5.5) -> [router2800] -> 172.20.0.80

172.20.0.80 -> [router2800] -> 5.5.5.5 -> [ASA] -> 10.164.32.150

Regards.

Rolando A. Valenzuela.

Hi Rolando,

thanks for answer.

I cannot do like you wrote, because the default route on the finally device on 172.20.0.* have another way to follow.

I uploaded a fast network schema in order to understand better the topology.

Maybe (as you said), I cannot do sNAT on the router after "nonat" for the VPN!?

Maybe the only solution is "route back" on the device, but client doesn't wanna do that.

If you have some other suggestion... let me know please.

regards

Mmmm you can have multiple inside interfaces, but not inside & outside at the same time on the one interface 

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

The other idea is to change your VPN to something using a Tunnel, and do the NAT on that tunnel and not the actual interface.

Regards.

Rolando A. Valenzuela.

Hi Rolando,

mmm maybe I'm little bit confuse right now
I'm little bit more so far with router than firewall, and I didn't get you.

With firewall would be easy.... traffic coming from the VPN and outside interface will be source natted for some destination with the IP address of the LAN interface... (for example).
ok, but with router?!?!? :-D

I've updated the visio with more information and detail, because I don't have inside & outside at the same time?!
I have one outside interface with public IP address that terminate VPN with cryptomap and inside interface (LAN side), that is belonging in the same subnet of the devices to be reachable.

For the tunnel in the VPN?! I don't know also...

BTW, try to check the visio, if we are on the same mind way :-)

coming back to your original answer about NAT.

No multiple NAT has been configured.

Just the access-list for the cryptomap. that's it.

I tried to configured just this two NAT only after for test:
ip nat inside source static 10.164.32.150 172.20.0.159
ip nat outside source static 10.164.32.150 172.20.0.159

without success.

Let me know,

regards

I saw it, what I'm saying is that you cannot have a two nat statements on the same interface:

interface FastEthernet0/0
description INSIDE
ip address 172.20.0.159 255.255.255.0
ip nat inside
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

It is one or the other, not both, and since you already have one you cannot perform an additional NAT on that router.

Thinking on this again, my suggestion of a Tunnel interface is not going.

I guess the easier way is to them to add a new route for the return traffic.

Regards.

Rolando A. Valenzuela.

Hi Rolando,

sorry again, but why you wrote ip nat inside and ip na outside on the same interface?
For sure I didn't configured the interface like this.

ip nat inside is on fa0/0

ip nat outiside is on fa0/1

?

Why you said that I configured both ip nat statement on the same interface?

regards

teatrodelsogno
Level 1
Level 1

I found solution my self after many test :-)

for the community...

In this case when VPN traffic come from the outside and no internet is needed on the router, (for perform for example overload and something like this), is not needed put the internet interface configured as ip nat outside statment.

I simple revert the ip nat statment and configured overload in order to source nat the interface on the lan side

Something like this:

ip nat inside source list 122 interface FastEthernet0/0 overload
access-list 122 remark ==[Control NAT Service]==
access-list 122 permit ip host 10.164.32.150 172.20.0.0 0.0.0.255

in this way, is working.

regards