×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Site to Site VPN with NAT for specific hosts

Unanswered Question
Jul 17th, 2013
User Badges:

I have probably been staring at this too long and I am therefore missing something.


I have a requirement for a VPN tunnel to another vendor, but this tunnel is only going to allow for three internal LAN hosts to have access in to the vendor's network.  Additionally, the subnets overlap, so those three hosts need to be NATed   Not too terribly hard, right?  Well, I did manage to get it working, however now the three LAN hosts are ALWAYS being NATed and therefore can't get to the internet.


Basically, I am trying to have it NAT to these specific IP's only when the packets are coming from these three hosts and are destined to the vendor's networks (over the VPN tunnel).  For all other communication to the outside, I want it to NAT like any other hosts on the local LAN subnet.


The LAN is : 172.16.50.0/24 and the hosts are .90,.206, and .214

The NAT is: 10.224.1.25 through .26


I went about and created a Network Objects for the NAT'ed IP's for each of the three hosts:  HostA_NAT, HostB_NAT, HostC_NAT


I created Network Objects for the LAN IP's for each of the three hosts.  In doing so, I selected "Add Automatic Translation Rules" and selected the Network Object for the NAT'ed IP that correspondes.  So for HostA, I selected "HostA_NAT" and so on.


I also created the ACL from the source address of the NATed IP's to the vendor's networks.


Now, the result is that the vendor can communicate to these hosts, and these hosts can communicate back, but these hosts cannot communicate to out to the internet.


I know I must be missing something simple here, and I suspect it has to do with the static nat setup.  However, I am at a loss as to where to look.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 07/17/2013 - 12:47
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I would personally like to see the NAT configurations in CLI format.


I presume that you have now configured basically Static NAT with the Network Object NAT configurations. This means that this NAT will be used for any destination address behind the "outside" interface and therefore its causing problems for your Internet traffic too.


So the NAT configurations should instead look something like this

  • Using an example remote LAN network
  • You mentioned 2 NAT IPs, presumed the third one
  • Used example interface names


object-group network SOURCE-REAL

network-object host 172.16.50.90

network-object host 172.16.50.206

network-object host 172.16.50.214


object-group network SOURCE-MAPPED

network-object host 10.224.1.25

network-object host 10.224.1.26


network-object host 10.224.1.27


object network REMOTE-LAN

subnet 192.168.10.0 255.255.255.0


nat (inside,outside) source static SOURCE-REAL SOURCE-MAPPED destination static REMOTE-LAN REMOTE-LAN



Using the above configuration would mean that the NAT for the L2L VPN connection would only be applied to these 3 hosts when the destination network was the subnet configured under REMOTE-LAN.


Notice that the Real and Mapped source addresses are mapped between eachother in the order they are entered inside the "object-group". You have the option ofcourse creating an "object network" or "object-group network" for each host separately and pair them that way. You would also need 3 NAT configurations to do all them that way.


- Jouni

Actions

This Discussion