cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2149
Views
0
Helpful
18
Replies

NAT Over VPN Tunnel

jbrunsting
Level 1
Level 1

I've been doing some research on this topic, and I'm asking for some help. I have a VPN tunnel I'm trying to set up to a remote network (that I have no control over). However, that remote network has used all private IP addresses. Meaning that I cannot assign my network any private IP addresses to use over the tunnel. I need to do NAT on a completely different IP address across the tunnel. I need the far end of the tunnel to see an address other than the private address which is assigned to the machines on this end. So rather than disabling NAT across the tunnel, I need to ENABLE NAT over the tunnel, but I need it to be a NAT to a completely different IP than the one I have set up on the external interface for doing PAT out to the internet! I hope I've explained this well enough and someone out there can help me. Thanks.

18 Replies 18

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Couple of questions

1) Do you just need one way connection ie. you will always initiate the connection to the remote end.

2) Do you want to hide all your source IP addresses behind one single IP address and then send it down the tunnel so that the remote end sees all traffic as coming from one address only.

One other thing - what type of device do you have at your end.

This is perfectly doable i just need to know your exact requirements.

Jon

1) No, I think traffic needs to be able to originate from either end.

2) Yes, I'd love to be able to use any machine on my local network over the VPN. It would simplify the use of the tunnel.

At my end I have an 1841 running ver. 12.4 of the advsecurity IOS.

Hi

Sorry about this but one last quick question.

Are the same addresses being used at both ends ie is there an overlap between the local and remote subnets.

Key thing here is what destination IP addresses do you need to get to at remote site and what are you source IP addresses

AND

what destination IP addresses are the remote site trying to get to and what would be their source ip addresses.

Need to know this before i can supply config.

I've got to nip to a meeting but should be back in about an hour.

Jon

Okay, here's hoping I get everything here, since my brain is starting to overheat, I think.

Our network is using 192.168.1.0/24, but the problem is, those ips are in use on the other end as well. basically, there is a 100% overlap.

There are three IPs at the other end we need to be able to reach, they're not subnetted, they're just individual ips. Let's just call it 172.16.1.1. Our source ip, the one we're trying to pretend to be, is 64.81.139.81. That's going to be the ip NATted over the VPN tunnel (Assuming I ever get that thing running).

I'm also just assuming that they're only going to be trying to access the main (64.81.139.81) ip on this end, though I'll have to set up some kind of access-list to send traffic to the right location. I don't think that, if they originate the traffic on the other end, that they'll be able to go to any machine on our end if we're using NAT. There's just no way for them to differentiate the machines if we're hiding like this. However, that being said, I would assume our server would be the single machine they'd probably need access to, so it's inside local address is 192.168.1.250.

Hi

Okay first things first i am assuming that the machines you are trying to access at the remote site are not in the 192.168.1.0/24 range.

As you say lets assume 172.16.1.1

172.16.1.10

172.16.1.20

I'm also assunming that the 64.81.139.81 address is not attached to an interface.

So

int loopback 10

ip address 64.81.139.81 255.255.255.255

NOTE - if 64.81.139.81 is allocated to your outside interface on your 1841 then you don't need to create the loopback interface.

Next you need to NAT your source IP addresses based on this

access-list 101 permit ip 192.168.1.0 255.255.255.0 host 172.16.1.1

access-list 101 permit ip 192.168.1.0 255.255.255.0 host 172.16.1.10

access-list 101 permit ip 192.168.1.0 255.255.255.0 host 172.16.1.20

ip nat inside source list 101 interface loopback 10

Note - as before if you didn't need to create loopback 10 because the 64.x.x.x address was assigned to your outside interface then just change the interface bit of the above nat statement.

Okay that will NAT any 192.168.1.0 addresses going to any of the 172.16.1.x addresses to 64.81.139.81

Now all you have to do is create your VPN as normal only in the crypto access-list ie the one that says

match address "access-list"

your access-list must now reference 64.81.139.81 and not the 192.168.1.x addresses because they have already been natted so

access-list vpntraffic permit ip host 64.81.139.81 host 172.16.1.1

access-list vpntraffic permit ip host 64.81.139.81 host 172.16.1.10

access-list vpntraffic permit ip host 64.81.139.81 host 172.16.1.20

This should sort out traffic from your end.

Now lets cover off the 192.168.1.250 server. You just need to present this to the remote end as any address that doesn't conflict with anything they have there. It doesn't have to be a public ip address - you will need to agree with remote people. Lets say for arguments sake you agreed on 10.227.10.250

ip nat inside source static 192.168.1.250 10.227.10.250

in your crypto map access-list vpntraffic add the following line

** Edit -

this should read

access-list vpntraffic permit ip host 10.227.10.250 host x.x.x.x

host x.x.x.x will be whatever they present their addresses as to you ie. you are hiding all your addresses behind 64.x.x.x, what are they doing with their source IP addresses.

Finally you need to add to the inside interface

int fa0/0

ip nat inside

and the outside interface

int fa0/1

ip nat outside

Note that loopback 10 can be any number as long as it doesn't conflict with anything you have.

Okay, thats quite a bit to do. Remember that whatever your crypto access-list has in it the remote end must also have this but with the source and destination flipped.

I haven't been able to fully test this in our lab so there might be a few issues, please be careful if dealing with a production setup.

Please come back if there are any problems or just to let me know it worked.

HTH

Jon

Okay, this looks really good, and I think it's exactly what I've been waiting for. I'm waiting on my counterpart on the other end to give me a call back so we can test this, but I'll definitely let you know what happens with it.

Of course, any remaining problems might also be with my more-than-rusty vpn tunneling skills.

Okay, will, the tunnel seems to be fully implemented, the guy at the other end can see it come up (I dunno about my end, I don't seem to have a tunnel interface, so I'm not sure how to check). ANYway, so the tunnel comes up, but for some reason, I can't pass any traffic through it. I've also learned that I there won't be any traffic originating from the far end, only traffic originating from my end and going out.

Hi

Can you post your config + the source IP address you are coming from and the destination address you are going to.

useful commands to see if your tunnel is working

sh crypto isakmp sa

sh crypto ipsec sa

Jon

I would be thrilled to.

I've also attached the results of the sh crypto ipsec sa command as well. sh crypto isakmp sa only gives me this:

dst src state conn-id slot status

Okay, i keep doing this recently. Referring back to my post with all the config

access-list 101 permit ip 192.168.1.0 255.255.255.0 host 172.16.1.1

access-list 101 permit ip 192.168.1.0 255.255.255.0 host 172.16.1.10

access-list 101 permit ip 192.168.1.0 255.255.255.0 host 172.16.1.20

Can you change the subnet masks to 0.0.0.255

eg.

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.1

etc..

Apologies for that. Pix uses 255.255.255.0 but router IOS needs inverse mask 0.0.0.255

Could you update the access-list and then retest.

Couple of other things - can you let me know what your source IP address is and the destination IP address at the remote end when you test the setup.

Lastly when you post configs can you make sure you remove any sensitive info like the IPSEC keys etc..

Jon

Okay, first of all, I'm an idiot. I know that stuff about IPSec keys, etc. I think it's just been a VERY long week for me. What's more, I know that about reversing the masks for access-lists, but I didn't even catch it.

It still doesn't seem to be working, however. Here's the edited part of that config as it looks now:

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 148.162.55.57

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 148.162.245.33

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 157.241.184.73

The source IP address for this tunnel is, I would assume, my public IP, which is 64.81.149.76 and the destination IP at the remote end is 208.247.100.149. If you mean the numbers inside, then from my end it's 192.168.1.102 and on the other end, it's 157.241.184.73.

I know what you mean about long weeks :)

Config looks okay now to me so i will log into lab at work over the weekend and test this out because i can't see why it won't work to be honest.

Do you know if it is not coming up in the same way as before you amended the access-list ie. before the amendment the tunnel would not have come up because the traffic didn't match the access-list but it should now.

You can run some debugging commands on your router

debug crypto isa

debug crypto ipsec

we need to work out if it is your router not initiating the connection or if it is a config issue on the other end.

Jon

It's kind of hard to say. Neither of the debug commands seem to give me any information. However, it seems to be the same issue now. When I try to do a simple ping of one of the servers on the other end, all I get is Request timed out from a Windows box, or just ..... from the router itself.

I would love it if you could test this out and let me know what you find.

Okay, leave it with me and i'll have a look at it over the weekend.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: