NAT after VPN

Answered Question
Mar 19th, 2007
User Badges:

Hi,


I have the following problem, and can't seem to find a solution.


I have 2 Cisco routers, A and B with a VPN connection. Both routers have a serial

interface pointing to external and an ethernet interface (Lets call them A and B)

pointing to the inside.


Traffic between subnet A and B is NOT NATed and the VPN works fine.


Now, router B has a second ethernet interface (C), to subnet C.


I added this subnet to the IPSEC ACLS on both routers as I want to allow subnet A to

access subnet C through the VPN.

The tunnel is up and running with no NAT being done.


However, on router B, access from subnet B to C is NATed:


Interface B

ip nat inside

!

Interface C

ip nat outside

!

ip nat inside source route-map NAT interface C overload

!

route-map NAT permit 10

match ip address 123

!

access-list 123 permit ip SUBNET_B SUBNET_C



So far so good. Now the problem:

How can I NAT traffic from subnet A to subnet C?


I tried adding

access-list 123 permit ip SUBNET_A SUBNET_C

but this doesn't help as traffic coming out of the VPN seems not to be affected by the

NAT rule, probably because it is not considered coming from an interface with "ip nat

inside".


Is there a way of doing this without using tunnel interfaces?



Thanks in advance,

Correct Answer by kaachary about 10 years 3 months ago

If I understood it correctly, you want the traffic from Subnet A to reach the router B, get decrypted, NATted to interface B and thten routed to interface C.


Please correct me if I am wrong.


You might want to use PBR (Policy Based Routing) for this.


Create an ACL to identify the traffic:


access-list 101 permit ip Subnet A Subnet C


Create a loopback :


int loopback 1

ip address 1.1.1.1 255.255.255.252

ip nat inside

exit


Create a route map to route the traffic after its decrypted.


route-map pol_nat permit 10

match ip address 101

set ip next-hop 1.1.1.2

exit


Apply the route map to your WAN interface:


int serial 0

ip policy route-map pol_nat

exit


This way the traffic will first be decrypted and then will be routed to loopback, which has a "ip nat inside" applied, and then it will be routed to subnet C after being natted using your NAT rule.


*Please rate if this helps.


-Kanishka


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
kaachary Mon, 03/19/2007 - 06:05
User Badges:
  • Cisco Employee,

Isn't Subnet A connected to Router A ?


You mentioned that the traffic between Subnet A and C is "not" natted.

If you want to NAT the traffic, going from A to C , you have to do it on Router A.

And the crypto ACL will be created using the Natted ip address.

The changes should be mirrored on Router B as well.


Could you please elaborate the requirement and a snippet of Router A config, if you can post.


-Kanishka

johan_braeken Mon, 03/19/2007 - 06:43
User Badges:

I can not NAT traffic from subnet A to C on router A already, as the interface IP address on router B has to be used for traffic going to subnet C.

So NATing has to be done on router B.


Please see http://www.knudde.be/NAT.jpg for a little drawing.

The blue text is what I want to do.



Correct Answer
kaachary Mon, 03/19/2007 - 06:55
User Badges:
  • Cisco Employee,

If I understood it correctly, you want the traffic from Subnet A to reach the router B, get decrypted, NATted to interface B and thten routed to interface C.


Please correct me if I am wrong.


You might want to use PBR (Policy Based Routing) for this.


Create an ACL to identify the traffic:


access-list 101 permit ip Subnet A Subnet C


Create a loopback :


int loopback 1

ip address 1.1.1.1 255.255.255.252

ip nat inside

exit


Create a route map to route the traffic after its decrypted.


route-map pol_nat permit 10

match ip address 101

set ip next-hop 1.1.1.2

exit


Apply the route map to your WAN interface:


int serial 0

ip policy route-map pol_nat

exit


This way the traffic will first be decrypted and then will be routed to loopback, which has a "ip nat inside" applied, and then it will be routed to subnet C after being natted using your NAT rule.


*Please rate if this helps.


-Kanishka


shiprider Thu, 03/22/2007 - 14:31
User Badges:

Good stuff..How would something like this be achieved using a PIX instead of a router (eg. come through RAN interface then overload NAT to Outside interface)?


Regards

Actions

This Discussion