NAT over VPN Traffic

Answered Question
Sep 14th, 2010
User Badges:

Hello everybody, i need some help in a vpn configuration, this is the problem i need to nat all the vpn traffic because i net to set up a vpn but i already have another vpn with the same network so this overlaps with the new one, so how can i nat all traffic to another network to avoid the network overlaps?.


Please i really need help


Thanks

Correct Answer by Federico Coto F... about 6 years 10 months ago

Normally you would add:


ip access-list extended INTERNET
  deny ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any


route-map INTERNET
  match ip address INTERNET


ip nat inside source route-map INTERNET interface FasEthernet0 overload


To allow the 192.168.1.0/24 internet access (except when going through the tunnel).


Try that, but I did notice that the outside interface has a private IP (where the VPN tunnel ends).

Is this tunnel going over the Internet and if so, something else might be NATing the IP then.


Federico.

Correct Answer by Federico Coto F... about 6 years 10 months ago

You're saying the 192.168.1.100 is able to go through the tunnel and to the internet now?


Try adding another....


ip nat inside source static 192.168.1.101 10.10.44.101 route-map VPN


for example.


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Federico Coto F... Tue, 09/14/2010 - 15:08
User Badges:
  • Green, 3000 points or more

Hi,


If you have an ASA, then you NAT using Policy NAT, something like this:


Site A:

access-list NAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

static (in,out) 10.3.3.0 access-list NAT


Site B:

access-list NAT permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

static (in,out) 10.2.2.0 access-list NAT


Both internal networks are 10.1.1.0/24 but the VPN communication (after NAT) is between 10.2.2.0/24 and 10.3.3.0/24


Federico.

Enrique Romero ... Tue, 09/14/2010 - 15:24
User Badges:

Hi Thanks, I have an Cisco Router 1711, do you know how to do it in this equipment. I must have PAT for internet access and NAT for vpn traffic.


Thanks a lot

Federico Coto F... Wed, 09/15/2010 - 07:36
User Badges:
  • Green, 3000 points or more

You use the same idea that i show you before.

If you need more help please post the networks for both sides and we'll show the configuration commands.


Federico.

Enrique Romero ... Wed, 09/15/2010 - 07:42
User Badges:

Hello thank i really appreciate you help, here are the both site networks


SITE A: 192.168.28.0/24

SITE B: 192.168.1.0/24


I want to nat the segment 192.168.1.0/24 to 10.10.10.0/24 because on the SITE A router i already have another vpn with de 192.168.1.0/24 segment so it overlaps with the new one and i must have internet access in the SITE B router.


Thanks

Federico Coto F... Wed, 09/15/2010 - 17:13
User Badges:
  • Green, 3000 points or more

The configuration varies if you have ASAs or routers as VPN endpoints.


You have routers or ASAs?


Federico.

Federico Coto F... Thu, 09/16/2010 - 15:53
User Badges:
  • Green, 3000 points or more

For example:


If the LAN is 192.168.1.0/24 and you want to NAT it to 192.168.2.0/24 when going through the tunnel:


ip nat inside source static network 192.168.1.0 192.168.2.0 /24


Problem with this is that it will translate the network always (not only when going through the tunnel).

If you do:


ip nat inside source static 192.168.1.1 192.168.2.1 route-map NAT


Then you can bind a route-map to specify that the static NAT rule will take effect only when the route-map conditions are met.

Problem is that you will need to do one IP at the time.


In ASAs is a lot easier.

Perhaps someone else have tried this (because I don't see how to apply a route-map when specifying a network in the static NAT).


Federico.

Enrique Romero ... Fri, 09/17/2010 - 08:44
User Badges:

Ok i think i understand you, this is my config


MiniBox#sh run                                                                 
Building configuration...                                                      
                                                                               
Current configuration : 2181 bytes                                             
!                                                                              
version 12.3                                                                   
service timestamps debug datetime msec                                         
service timestamps log datetime msec                                           
no service password-encryption                                                 
!                                                                              
hostname MiniBox                                                               
!                                                                              
boot-start-marker                                                              
boot-end-marker                                                                
!                                                                              
logging buffered 51200 warnings                                                
!                                                                              
clock timezone Mexico -6                                                       
clock summer-time Mexico date Apr 6 2003 2:00 Oct 26 2003 2:00                 
mmi polling-interval 60                                                        
no mmi auto-configure                                                          
no mmi pvc                                                                     
mmi snmp-timeout 180                                                           
no aaa new-model                                                               
ip subnet-zero                                                                 
!                                                                              
!                                                                              
!                                                                              
!                                                                              
ip cef                                                                         
no ip domain lookup                                                            
ip domain name yourdomain.com                                                  
ip ips po max-events 100                                                       
no ftp-server write-enable                                                     
!                                                                              
!                                                                              
!                                                                              
username ***** privilege 15 secret 5 *******
!                                                                              
!                                                                              
!                                                                              
crypto isakmp policy 1                                                         
encr 3des                                                                     
authentication pre-share                                                      
group 2                                                                       
!                                                                              
crypto isakmp policy 2                                                         
encr 3des                                                                     
hash md5                                                                      
authentication pre-share                                                      
group 2                                                                       
lifetime 28800                                                                
crypto isakmp key ***** address *****                        
no crypto isakmp ccm                                                           
!                                                                              
!                                                                              
crypto ipsec transform-set MiniBox esp-3des esp-md5-hmac                       
!                                                                              
crypto map SDM_CMAP_1 1 ipsec-isakmp                                                 
set peer ******                                                        
set transform-set MiniBox                                                     
match address 101                                                             
!                                                                              
!                                                                              
!                                                                              
interface FastEthernet0                                                                        
ip address 10.1.131.85 255.255.255.0                                          
ip nat outside                                                                
ip virtual-reassembly                                                         
duplex auto                                                                   
speed auto                                                                    
no cdp enable                                                                 
crypto map SDM_CMAP_1                                                         
!                                                                              
interface FastEthernet1                                                        
no cdp enable                                                                 
!                                                                              
interface FastEthernet2                                                        
no cdp enable                                                                 
!                                                                              
interface FastEthernet3                                                        
no cdp enable                                                                 
!                                                                              
interface FastEthernet4                                                        
no cdp enable                                                                 
!                                                                              
interface Vlan1                                                                                        
ip address 192.168.1.253 255.255.255.0                                        
ip nat inside                                                                 
ip virtual-reassembly                                                         
ip tcp adjust-mss 1452                                                        
!                                                                              
interface Async1                                                               
no ip address                                                                 
!                                                                              
ip classless                                                                   
ip http server                                                                 
ip http authentication local                                                   
ip http secure-server                                                          
ip http timeout-policy idle 60 life 86400 requests 10000                       
!                                                                              
ip nat inside source static network 192.168.1.0 10.10.44.0 /24                 
!                                                                              
!                                                                              
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255         
no cdp run                                                                     
!                                                                              
!                                                                              
control-plane                                                                  
!                                                                              
!                                                                              
line con 0                                                                     
login local                                                                   
line 1                                                                         
                                                                               
MiniBox#                                                                       
MiniBox#




I'm ok or not? in the acl 101 i must have the nat segment 192.168.1.0 as my permit traffic o my no nat segment?, and what if i want to nat for have internet access?


Thanks

Federico Coto F... Fri, 09/17/2010 - 10:18
User Badges:
  • Green, 3000 points or more

ip nat inside source static network 192.168.1.0 10.10.44.0 /24                 
!                                                                              
!                                                                              
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255    


The ACL 101 should be:


access-list 101 permit ip 10.10.44.0 0.0.0.255 192.168.28.0 0.0.0.255


The reason is that since you're translating the 192.168.1.0/24 to 10.10.44.0/24 when going through the tunnel, then the ACL for VPN traffic should specify the translated address as the local network.


Again, I don't see an option of doing this NAT a condition NAT.

If you need NAT for Internet, you can try the following:


ip nat inside source static 192.168.1.1 10.10.44.1 route-map VPN


route-map VPN

  match ip address VPN-traffic


ip access-list extended VPN-traffic

   permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255


In this way, host 192.168.1.1 will be translated to 10.10.44.1 only when going to 192.168.28.0/24


Try it and see if it works.


Federico.

Enrique Romero ... Fri, 09/17/2010 - 11:30
User Badges:

Hi the first one works perfectly but the second one when i want to access to internet it doesn't work but for the vpn it works, here is my config.


                                   
                                                                               
MiniBox#sh run                                                                 
Building configuration...                                                      
                                                                               
Current configuration : 2335 bytes                                             
!                                                                              
version 12.3                                                                   
service timestamps debug datetime msec                                         
service timestamps log datetime msec                                           
no service password-encryption                                                 
!                                                                              
hostname MiniBox                                                               
!                                                                              
boot-start-marker                                                              
boot-end-marker                                                                
!                                                                              
logging buffered 51200 warnings                                                
!                                                                              
clock timezone Mexico -6                                                       
clock summer-time Mexico date Apr 6 2003 2:00 Oct 26 2003 2:00                 
mmi polling-interval 60                                                        
no mmi auto-configure                                                          
no mmi pvc                                                                     
mmi snmp-timeout 180                                                           
no aaa new-model                                                               
ip subnet-zero                                                                 
!                                                                              
!                                                                              
!                                                                              
!                                                                              
ip cef                                                                         
no ip domain lookup                                                            
ip domain name yourdomain.com                                                  
ip ips po max-events 100                                                       
no ftp-server write-enable                                                     
                                                                             
crypto isakmp policy 1                                                         
encr 3des                                                                     
authentication pre-share                                                      
group 2                                                                       
!                                                                              
crypto isakmp policy 2                                                         
encr 3des                                                                     
hash md5                                                                      
authentication pre-share                                                      
group 2                                                                       
lifetime 28800                                                                
crypto isakmp key **** address ******
no crypto isakmp ccm                                                           
!                                                                              
!                                                                              
crypto ipsec transform-set MiniBox esp-3des esp-md5-hmac                       
!                                                                              
crypto map SDM_CMAP_1 1 ipsec-isakmp                                           
set peer *******                                                        
set transform-set MiniBox                                                     
match address 101                                                             
!                                                                              
!                                                                              
!                                                                              
interface FastEthernet0                                                        
description $ETH-WAN$                                                         
ip address 10.1.131.85 255.255.255.0                                          
ip nat outside                                                                
ip virtual-reassembly                                                         
duplex auto                                                                   
speed auto                                                                    
no cdp enable                                                                 
crypto map SDM_CMAP_1                                                         
!                                                                              
interface FastEthernet1                                                        
no cdp enable                                                                 
!                                                                              
interface FastEthernet2                                                        
no cdp enable                                                                 
!                                                                              
interface FastEthernet3                                                        
no cdp enable                                                                 
!                                                                              
interface FastEthernet4                                                        
no cdp enable                                                                 
!                                                                              
interface Vlan1                                                                
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$                              
ip address 192.168.1.254 255.255.255.0                                        
ip nat inside                                                                 
ip virtual-reassembly                                                         
ip tcp adjust-mss 1452                                                        
!                                                                              
interface Async1                                                               
no ip address                                                                 
!                                                                              
ip classless                                                                   
ip route 0.0.0.0 0.0.0.0 10.1.131.1                                            
ip http server                                                                 
ip http authentication local                                                   
ip http secure-server                                                          
ip http timeout-policy idle 60 life 86400 requests 10000                       
!                                                                              
ip nat inside source static 192.168.1.100 10.10.44.100 route-map VPN           
!                                                                              
!                                                                              
!                                                                              
ip access-list extended VPN-traffic                                            
permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255                        
access-list 101 permit ip 10.10.44.0 0.0.0.255 192.168.28.0 0.0.0.255          
no cdp run                                                                     
!                                                                              
route-map VPN permit 10                                                        
match ip address VPN-traffic                                                  
!                                                                              
!                                                                              
control-plane                                                                  
!                                                                              
!                                                                              
line con 0                                                                     
login local                                                                   
line 1                                                                         
stopbits 1                                                                    
speed 115200                                                                  
flowcontrol hardware                                                          
line aux 0                                                                     
line vty 0 4                                                                   
privilege level 15                                                            
login local                                                                   
transport input telnet ssh                                                    
line vty 5 15                                                                  
privilege level 15                                                            
login local                                                                   
transport input telnet ssh                                                    
!                                                                              
end




We are really close, thanks for all your help i really appreciate it.

Correct Answer
Federico Coto F... Fri, 09/17/2010 - 11:33
User Badges:
  • Green, 3000 points or more

You're saying the 192.168.1.100 is able to go through the tunnel and to the internet now?


Try adding another....


ip nat inside source static 192.168.1.101 10.10.44.101 route-map VPN


for example.


Federico.

Correct Answer
Federico Coto F... Fri, 09/17/2010 - 11:40
User Badges:
  • Green, 3000 points or more

Normally you would add:


ip access-list extended INTERNET
  deny ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
  permit ip 192.168.1.0 0.0.0.255 any


route-map INTERNET
  match ip address INTERNET


ip nat inside source route-map INTERNET interface FasEthernet0 overload


To allow the 192.168.1.0/24 internet access (except when going through the tunnel).


Try that, but I did notice that the outside interface has a private IP (where the VPN tunnel ends).

Is this tunnel going over the Internet and if so, something else might be NATing the IP then.


Federico.

Actions

This Discussion