Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2651
Views
0
Helpful
1
Replies

vrf aware site-to-site ipsec; one fvrf to many ivrf with NAT

gadholwi1
Level 1
Level 1

‎12-17-2009 05:24 AM - edited ‎02-21-2020 04:25 PM

Hello,

I want to set up an ipsec gateway for site-to-site connectivity, the gate should support different customers with independent nat statements.

The ipsec gateway should use one public ip address for an outside fvrf, this fvrf or the diffrent customer ipsec tunnels should be mapped to different ivrfs with independent nat statements.

I have problems with the nat statement, because it is not possible to configure the following statement:

ipsec-gw#sh run | in nat
ip nat inside source static 10.79.50.13 10.79.1.1 vrf inside-group001
ip nat outside source static 192.168.1.1 10.79.2.2 vrf inside-group001
ipsec-gw#
ipsec-gw#
ipsec-gw#
ipsec-gw#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ipsec-gw(config)#ip nat inside source static 10.79.43.13 10.79.1.1 vrf inside-group002
% similar static entry (10.79.50.13 -> 10.79.1.1) already exists
ipsec-gw(config)#

Platform is: Cisco 3745 with AIM-VPN/HPII

IOS version: c3745-advsecurityk9-mz.124-25b.bin

Labels:
0 Helpful
1 Reply 1

gadholwi1
Level 1
Level 1

‎12-17-2009 05:29 AM

with the match-in-vrf command in the nat statement it is possible to have two
statements pointing to the same local inside address in different vrfs:

ipsec-gw#sh run | in static
ip nat inside source static 10.79.50.13 10.79.1.1 vrf inside-group001 extendable match-in-vrf
ip nat inside source static 10.79.43.13 10.79.1.1 vrf inside-group002 extendable match-in-vrf
ip nat outside source static 192.168.1.1 10.79.2.2 vrf inside-group001 extendable match-in-vrf
ipsec-gw#

But with this configuration the communication is not possible because the ipsec peer address of this gateway is in an other vrf (fvrf).

ipsec-gw#ping vrf inside-group001 10.79.2.2 source 10.79.50.13

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.79.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.79.50.13

*Sep  7 21:56:19.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [25]
*Sep  7 21:56:19.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [25].
*Sep  7 21:56:21.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [26]
*Sep  7 21:56:21.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [26].
*Sep  7 21:56:23.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [27]
*Sep  7 21:56:23.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [27].
*Sep  7 21:56:25.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [28]
*Sep  7 21:56:25.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [28].
*Sep  7 21:56:27.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [29]
*Sep  7 21:56:27.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [29].
Success rate is 0 percent (0/5)
ipsec-gw#

Does anyone know a solution??

0 Helpful
Customers Also Viewed These Support Documents