NAT on a Stick

Unanswered Question
Sep 1st, 2010
User Badges:

Hi All


I'm trying to configure NAT on a Stick using a Cisco 881 router using Cisco Configuration Professional.  Based on the Cisco document "Netwrok Address Translation on a Stick" (Document ID:6505) I run into some questions.


1) The document states to use the Cisco Feature Navigator II to determine which IOS version I could use with this feature.  But I have no idea what feature exactly I have to look for in the Cisco Feature Navigator.  Could anybody please help me with this? Right now I'm using Version 12.4(24)T3.


2) As I mentioned above, I'm trying to use Cisco Configuration Professional (version 2.2).  As stated in the document I created an Loopback interface.  Following the document I should now designate the loopback interface as inside NAT interface.  However, trying to do this fails, because it is not possible to configure the loopback interface.  Instead of showing the select box with options inside/outside/<none> (as it is e.g. on VLAN interfaces) the selct box is greyed out and states <NOT-SUPPORTES>.  Does anybody know why?  Is this because I'm using a wrong IOS version, is it a bug in Cisco Configuration Professional or something else I'm missing?


Thnaks for your help.


Stefan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 09/01/2010 - 08:35
User Badges:
  • Green, 3000 points or more

Hi,


If you would like to explain the scenario for what you're trying to accomplish with NAT on a Stick, I can help you configure it via CLI.

Or someone else could help you out with CCP.


Federico.

stefan.gillich Wed, 09/01/2010 - 09:29
User Badges:

Hi Frederico


Thanks a lot for your reply.


Could you tell me if the IOS version I'm using is capable of this functionality?


I will try to put something together (sketches, ...) to make it more clear  (see Attachment).


In addition a little description in words (as good as I could):

The clients in the remote location (networks 10.10.10.0/24) should be able to talk to clients in the near location (network 10.10.30.0 /24).  The remote clients are configured to use the gateway 10.10.10.1.  Data packets received on gateway 10.10.10.1 are routed directly to network 10.10.20.0/24 or to the next gateway 10.10.20.1 exept for traffic with destination address from network 10.10.30.0/24.  This traffic is rerouteted to Cisco 881 router with ip address 10.10.10.2.  Now I want this router to bild a vpn tunnel to the near location ASA with IP address 192.168.30.1.


To do that, my idea was to create a virtual interface (loopback, NAT inside) on cisco 881 with IP address 192.168.10.1.  All traffic received on 10.10.10.2 - NAT outside - (should be traffic from network 10.10.10.0/24 to 10.10.30.0/24 only - routed to 10.10.10.2 from gateway 10.10.10.1) should than be routed using a route-map to 192.168.10.1. Between inside and outside there should be a NAT for IP Address 10.10.10.0/24 to 10.40.40.0/24.  The VPN configuration is on the interface 10.10.10.2. Here it should be rated as intersting traffic and cause the VPN tunnel to be created.


I'm not it the office anymore.  As soon as I'm back tomorrow I could past my non working configuration.  This may help you understand what I'm trying to do and maybe point out my error.


Thanks a lot.


Stefan

Attachment: 
stefan.gillich Wed, 09/01/2010 - 23:44
User Badges:

Hi Federico


I updated the sketch attached to my previous reply slightly (corrected one error and added loopback0 interface).


Below you could see the configuration as it is right now (still not working).  I tetsed the VPN tunnel using Cisco Configuration Professional.  The VPN Tunnel itself looks fine.  Must be something wrong with route and nat.


==============================================================================================


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TEST
!
boot-start-marker
boot system flash c880data-universalk9-mz.124-24.T3.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 $1$0KZ4$S65tv.EKwuTR3exlfKXsD/
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1535404978
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1535404978
revocation-check none
rsakeypair TP-self-signed-1535404978
!
!
crypto pki certificate chain TP-self-signed-1535404978
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31353335 34303439 3738301E 170D3130 30383236 30363439
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35333534
  30343937 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B55B 507D3DFD C2E028CF C6E2798D 70B4CDA7 E7CDB892 C2CD1580 3B8C1AB9
  EA5CB2D7 21024492 305A4AAC 05AB70C6 8F6DC00F 934A6FEB 6D19B46F E25AE0BD
  76350D93 B936CE8D 61589204 5DDE0161 E1322698 47ACBD61 39625970 FFA0549B
  2DC3AF65 3819BB39 16D249D1 C7E327E7 BCB511E7 642098CD 1CD0256C C938411D
  20A30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 147A92AF 6814610C BB29B366 39542604 3621C07F
  46301D06 03551D0E 04160414 7A92AF68 14610CBB 29B36639 54260436 21C07F46
  300D0609 2A864886 F70D0101 04050003 81810014 1CF65E51 91F9CAD7 271E2690
  B725CDB9 F3F35E2D 7C6F08C0 B0069DA2 3EC548BB 7EB67516 6E3E1510 BE298ACA
  3F3C78E3 77D7DD38 06909174 DECD89D4 A8B39B1F 0073004D 3B135AB2 B8C2A2F8
  F30DB7DC 2E93387F 3ACD16E2 50BC3F54 183CDF5E 1FFAED90 DECF155E 7BC4EBD0
  7D02766A 3467C58A C88D976D 44F7CA84 0C81DD
   quit
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name sigpack.com
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
username MCAdmin privilege 15 secret 5 $1$UFpt$D/6klqFSrp.f212e9UcU11
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key xxxxxxxxxxxxxxx address 192.168.30.1 no-xauth
!
!
crypto ipsec transform-set VPN_Maschinen esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 192.168.30.1
set peer 192.168.30.1
set security-association idle-time 300
set transform-set VPN_Maschinen
match address 103
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
description Machine Network$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.2 255.255.255.0
no ip redirects
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map NAT_VPN
no autostate
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.10.10.1 permanent
ip route 10.40.40.0 255.255.255.0 Loopback0 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static 10.10.10.0 10.40.40.0 /24
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 103 remark Interesting VPN Traffic
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.40.40.0 0.0.0.255 10.10.30.0 0.0.0.255
access-list 110 remark Route Remote Support Traffic
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip 10.10.10.0 0.0.0.255 10.10.30.0 0.0.0.255
no cdp run

!
!
!
!
route-map NAT_VPN permit 10
match ip address 110
set ip next-hop 192.168.10.1
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end


===============================================================================================


What I found in the meantime is the following:

If I ping 10.10.30.56 from client 10.10.10.131, the route-map works fine.  Also the NAT for ip addrss 10.10.10.131 to 10.40.40.131 looks OK.  Debugging with "debug ip nat" shows, that ip 10.10.10.2 is trying to reach 192.168.30.1 (what is correct, because the vpn tunnel is initiating).  But ip address 10.10.10.2 is nated to 10.40.40.2 what is wrong.  So, something with my nat (or maybe route) is wrong.



Best regards

Stefan

Federico Coto F... Thu, 09/02/2010 - 08:54
User Badges:
  • Green, 3000 points or more

One question that I have is if the IPsec tunnel goes over the Internet how could it be defined
between private IPs?
The 881 has a 10.10.10.2 and the VPN peer (ASA) 192.168.30.1

Are these two addresses NATed in order to esablish the tunnel?


The concept that you're trying to accomplish can be done, I just want to clarify the first things
first to understand.


Federico.

stefan.gillich Thu, 09/02/2010 - 23:07
User Badges:

Hi Federico


Sorry for the confusion.

For right now, i'm testing in our lab with private addresses only.  IP address 10.10.10.2 is being translated (PAT) to interface ip 192.168.20.1.  In the end, the connection will run over the internet and for sure use public ip addresses.  The 192.168.30.1 will be a public IP address as well as 192.168.20.1.  The 10.10.10.2 will than be translated (PAT) to the public ipaddress as well.  Since both vpn end point support NAT-T this part worked fine from the beginning.


I could get the configuration I postet yesterday to work by changing the static NAT to not include the 10.10.10.2.


What I tried first to NAT is:

ip nat inside source static 10.10.10.0 10.40.40.0 /24 (see earlier posting)


Now I changed to:

ip nat inside source static 10.10.10.0 10.40.40.0 /31

ip nat inside source static 10.10.10.3 10.40.40.3 /32

ip nat inside source static 10.10.10.4 10.40.40.4 /30

ip nat inside source static 10.10.10.8 10.40.40.8 /29

ip nat inside source static 10.10.10.16 10.40.40.16 /28

ip nat inside source static 10.10.10.32 10.40.40.32 /27

ip nat inside source static 10.10.10.64 10.40.40.64 /26

ip nat inside source static 10.10.10.128 10.40.40.128 /25


This way it works fine. Looks like ip address 10.10.10.2 got nated without having data packets travelling from the nat inside to the nat outside interface.  I didn't expect this.

Doing a dynamic nat (including the 10.10.10.2 ip address) instead of the static nat will also result in a working configuration.  Looks like in case of dynamic nat the data packets really have to travel through the interfaces to get nated.


ip nat pool NAT_Maschinen 10.40.40.0 10.40.40.255 netmask 255.255.255.0 type match-host
ip nat inside source list 20 pool NAT_Maschinen
access-list 20 deny   10.10.10.2
access-list 20 permit 10.10.10.0 0.0.0.255

Since I have to initiate client connection from both sides:


10.10.30.56 -> 10.40.40.131 (10.10.10.131)

10.10.10.131 (10.40.40.131) -> 10.10.30.56


I guess I will have to go with static nat and just exclude the interface ip 10.10.10.2 from the nat statement.  Is there a better way to do the exclude than what I did up to now (see config above).  Maybe something analog to the exclude I did for dynamic nat?


Thanks a lot for your help.


Stefan

Actions

This Discussion