NAT on destination

Unanswered Question
Jul 23rd, 2010

Hi all,

I'm trying to do the following but i need a little help with this.

Scenario:

I have 2 routers that are connected via a VPN tunnel and both have internet connection. On both routers I want to make sure that internet is working with PAT but when my destination is the remote subnet over the VPN tunnel i want to translate that into another subnet, because the have the same LAN subnet.

Router A:

WAN IP: 1.1.1.1

LAN IP: 192.168.0.1/24

VPN traffic: 192.168.0.0/24 needs to be NAT'ed in 10.0.0.0/24

All other traffic needs to use the PAT rule for internet access.

Router B:

WAN IP: 1.1.1.2

LAN IP: 192.168.0.1/24

VPN traffic: 192.168.0.0/24 needs to be NAT'ed into 10.0.1.0/24.

All other traffic needs to use the PAT rule for internet access.

Question:

What do i need to do to get this working?

Kind regards,

Erik

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Phillip Remaker Wed, 08/18/2010 - 09:02

So to summarize, the two sites have overlapping address space.

Traffic to Internet at either site will PAT to the WAN IP of the local site (well understood config)

Intersite traffic will be NATted to fix the overlapping address problem.

so you need two NAT statements on each router, the one for Intenet and the one for intersite.

Each side's LAN will be "ip nat inside" and the tunnel and WAN interaces will be "ip nat outside"

The question is, how will devices on Site A and Site B reach one another?  Since the addresess overlap, you will probably want to assign static mappings to the devices on each side that the others care about.

So, more details would be helpful.  Overlapping address spaces are tricky.  If the site uses DHCP and a few static addreses, you might prefer to take a weekend and correct the overlap rather than work on intersite NAT.

erik.metselaar Wed, 08/18/2010 - 11:29

Well i did found a solution.... see my configurations of router A and B. I tested it with a standard VPN connection and not with a tunnel interface but it will be the same.

RourterA:

Building configuration...

Current configuration : 2018 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-A
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
!
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key test address 1.1.1.2
crypto isakmp keepalive 90 12
!
!
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
!
crypto map rtp 20 ipsec-isakmp
description VPN - Site-2-Site VPN to RTR-B
set peer 1.1.1.2
set security-association replay window-size 64
set transform-set TEST
match address 131
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description INSIDE
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no autostate
!
interface Vlan2
description OUTSIDE
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map rtp
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Vlan2
no ip http server
no ip http secure-server
!
ip nat inside source route-map VLAN2 interface Vlan2 overload
!
access-list 120 remark **** NAT ****
access-list 120 remark --- No-NAT Local LAN to VPN ---
access-list 120 deny   ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 remark --- NAT all traffic ---
access-list 120 permit ip 172.16.0.0 0.0.0.255 any
access-list 131 remark **** Site-2-Site VPN to RTR-B ****
access-list 131 remark --- Permit Local LAN Subnet to Remote LAN Subnet ---
access-list 131 permit ip 172.16.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
route-map VLAN2 permit 10
match ip address 120
match interface Vlan2
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

Router B:

Building configuration...

Current configuration : 2344 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RTR-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
!
!
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key test address 1.1.1.1
crypto isakmp keepalive 90 12
!
!
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
!
crypto map rtp 20 ipsec-isakmp
description VPN - Site-2-Site VPN to RTR-B
set peer 1.1.1.1
set security-association replay window-size 64
set transform-set TEST
match address 131
!
archive
log config
  hidekeys
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no autostate
!
interface Vlan2
description OUTSIDE
ip address 1.1.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map rtp
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Vlan2
no ip http server
no ip http secure-server
!
ip nat inside source route-map VLAN2 interface Vlan2 overload
ip nat inside source static 192.168.0.1 10.0.0.1 route-map RM-STATIC-NAT extendable
!
ip access-list extended ACL-STATIC-POLICY-NAT
permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
!
access-list 120 remark **** NAT ****
access-list 120 remark --- No-NAT Local LAN to VPN ---
access-list 120 deny   ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 120 remark --- NAT all traffic ---
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
access-list 131 remark **** Site-2-Site VPN to RTR-B ****
access-list 131 remark --- Permit Local LAN Subnet to Remote LAN Subnet ---
access-list 131 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
!
!
!
route-map VLAN2 permit 10
match ip address 120
match interface Vlan2
!
route-map RM-STATIC-NAT permit 10
match ip address ACL-STATIC-POLICY-NAT
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

only thing i can't figure out is how to do the NAT statement on router B to work for the whole subnet. now i have to do this for every IP in the subnet.

Maybe someone knows how to do that?

Kind regards,

Erik

Actions

This Discussion