IPSec, static NAT and route-maps

JohnVottero · ‎01-28-2009

I use static NET to expose some servers to the internet. I created an IPSec tunnel from a remote office to the central office which worked but, the remote office could not connect to the servers that have static NAT mappings.

I added a route-map to the static mappings like this:

ip nat inside source static 192.168.12.9 64.233.220.44 route-map NATRouteMap

route-map NATRouteMap permit 1

match ip address 104

access-list 104 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0 255

access-list 104 permit ip 192.168.12.0 0.0.0.255 any

Everything seemed to work fine until e-mail started bouncing. Without the route-map on the ip nat, connections from 192.168.12.9 would have a source IP address of 64.233.220.44, exactly what the static mapping says. With the route-map, connections from 192.168.12.9 have a source IP address of 64.233.220.46 which is the external interface and pooled NAT ip address.

How can I have out bound static mapping and still access the server from the IPSec tunnel?

drolemc · ‎02-03-2009

Here is a config example that might help:

http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_configuration_example09186a008017ee15.shtml

JohnVottero · ‎02-03-2009

Thanks for the reply. I may be missing the obvious but, I don't see anything in that config that will help me.

My problem is with static NAT which seems to be broken when you add a route-map.

paolo bevilacqua · ‎02-03-2009

Hi, it's a bit difficult for a "third party" to understand exactly your situation and what you need to do.

However looking at your usage of the route map, you see that first you define a static 1:1, then use a route map that defines more addresses ? That seems contradictory in itself.

You could then use the ACL directly in nat statement to define what you want natted to 64.233.220.44 and what not.

JohnVottero · ‎02-04-2009

I added the route-map to the static NAT to allow a remote network that is using an IPSec tunnel to access the internal IP addresses. The route-map prevents NATing for packets to/from the remote IPSec network.

I did this based on this configuration example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

It almost works except, outbound packets are never NATed by the static NATs.

paolo bevilacqua · ‎02-05-2009

The thing is that the static nat specifies a single host, so I don't see why the route map is necessary to prevent the network to be natted.

Then again I might have misunderstood.

JohnVottero · ‎02-05-2009

When packets come in from the IPSec tunnel, the replies get NATed because of the static NAT. The NATed replies don't match the IPSec selection so they don't get encrypted and sent back through the IPSec tunnel.

paolo bevilacqua · ‎02-06-2009

I see. This happens because you have another nat statement or more, and even if the route-map prevents natting on the static nat for a certain global address, it still is subject to the other.

There are probably few things that you can try:

- use a gre tunnel over ipsec so you will have better control on what is natted and what is not - tunnel interface would have no nat statment. You can reuse the crypto maps and simply add tunnel protection with gre config.

This is also the best solution as it let you add more networks go over tunnel w/o changing the crypto maps.

- use more route maps so that the pooled nat never nats for 64.233.x.x

- investigate use of virtual nat interfaces- I'm not very familiar with these anyway.