Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
5
Replies

NAT after VPN

Go to solution
johan_braeken
Level 1
Level 1

‎03-19-2007 03:35 AM - edited ‎02-21-2020 02:55 PM

Hi,

I have the following problem, and can't seem to find a solution.

I have 2 Cisco routers, A and B with a VPN connection. Both routers have a serial

interface pointing to external and an ethernet interface (Lets call them A and B)

pointing to the inside.

Traffic between subnet A and B is NOT NATed and the VPN works fine.

Now, router B has a second ethernet interface (C), to subnet C.

I added this subnet to the IPSEC ACLS on both routers as I want to allow subnet A to

access subnet C through the VPN.

The tunnel is up and running with no NAT being done.

However, on router B, access from subnet B to C is NATed:

Interface B

ip nat inside

!

Interface C

ip nat outside

!

ip nat inside source route-map NAT interface C overload

!

route-map NAT permit 10

match ip address 123

!

access-list 123 permit ip SUBNET_B SUBNET_C

So far so good. Now the problem:

How can I NAT traffic from subnet A to subnet C?

I tried adding

access-list 123 permit ip SUBNET_A SUBNET_C

but this doesn't help as traffic coming out of the VPN seems not to be affected by the

NAT rule, probably because it is not considered coming from an interface with "ip nat

inside".

Is there a way of doing this without using tunnel interfaces?

Thanks in advance,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to johan_braeken

‎03-19-2007 06:55 AM

If I understood it correctly, you want the traffic from Subnet A to reach the router B, get decrypted, NATted to interface B and thten routed to interface C.

Please correct me if I am wrong.

You might want to use PBR (Policy Based Routing) for this.

Create an ACL to identify the traffic:

access-list 101 permit ip Subnet A Subnet C

Create a loopback :

int loopback 1

ip address 1.1.1.1 255.255.255.252

ip nat inside

exit

Create a route map to route the traffic after its decrypted.

route-map pol_nat permit 10

match ip address 101

set ip next-hop 1.1.1.2

exit

Apply the route map to your WAN interface:

int serial 0

ip policy route-map pol_nat

exit

This way the traffic will first be decrypted and then will be routed to loopback, which has a "ip nat inside" applied, and then it will be routed to subnet C after being natted using your NAT rule.

*Please rate if this helps.

-Kanishka

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kaachary
Cisco Employee
Cisco Employee

‎03-19-2007 06:05 AM

Isn't Subnet A connected to Router A ?

You mentioned that the traffic between Subnet A and C is "not" natted.

If you want to NAT the traffic, going from A to C , you have to do it on Router A.

And the crypto ACL will be created using the Natted ip address.

The changes should be mirrored on Router B as well.

Could you please elaborate the requirement and a snippet of Router A config, if you can post.

-Kanishka

0 Helpful

Go to solution
johan_braeken
Level 1
Level 1
In response to kaachary

‎03-19-2007 06:43 AM

I can not NAT traffic from subnet A to C on router A already, as the interface IP address on router B has to be used for traffic going to subnet C.

So NATing has to be done on router B.

Please see http://www.knudde.be/NAT.jpg for a little drawing.

The blue text is what I want to do.

0 Helpful

Go to solution
kaachary
Cisco Employee
Cisco Employee
In response to johan_braeken

‎03-19-2007 06:55 AM

If I understood it correctly, you want the traffic from Subnet A to reach the router B, get decrypted, NATted to interface B and thten routed to interface C.

Please correct me if I am wrong.

You might want to use PBR (Policy Based Routing) for this.

Create an ACL to identify the traffic:

access-list 101 permit ip Subnet A Subnet C

Create a loopback :

int loopback 1

ip address 1.1.1.1 255.255.255.252

ip nat inside

exit

Create a route map to route the traffic after its decrypted.

route-map pol_nat permit 10

match ip address 101

set ip next-hop 1.1.1.2

exit

Apply the route map to your WAN interface:

int serial 0

ip policy route-map pol_nat

exit

This way the traffic will first be decrypted and then will be routed to loopback, which has a "ip nat inside" applied, and then it will be routed to subnet C after being natted using your NAT rule.

*Please rate if this helps.

-Kanishka

0 Helpful

Go to solution
johan_braeken
Level 1
Level 1
In response to kaachary

‎03-19-2007 07:00 AM

Thank you!

This is exactly what I need.

0 Helpful

Go to solution
shiprider
Level 1
Level 1
In response to kaachary

‎03-22-2007 02:31 PM

Good stuff..How would something like this be achieved using a PIX instead of a router (eg. come through RAN interface then overload NAT to Outside interface)?

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents