nat ip address communication issue between sites connected through VPN

Unanswered Question
Jun 18th, 2014
User Badges:

Need a little bit of guidance for the connectivity between 2 natted sites. I have 2 routers which will be doing natting (Internal -> nat IP) before going through the VPN tunnel.

 

Site A natting = 10.208.0.0 /16 to be natted to 1.1.0.0 /16

Site B natting = 10.208.0.0 /16 to be natted to 1.2.0.0 /16

 

 

I also added static route to point to the inside when the nat is coming from the outside but still no luck.

 

 

Configuration of Site A:

 

ip nat pool NATPOOL 1.1.0.0 1.1.255.255 netmask 255.255.0.0 type match-host

!

ip nat inside source route-map ROUTEMAP-NAT pool NATPOOL

!

route-map ROUTEMAP-NAT permit 10

match ip address ACL-NAT

!

ip access-list extended ACL-NAT

permit ip 10.208.0.0 0.0.255.255 1.2.0.0 0.0.255.255

!

! VPN encryption domain

ip access-list extended ACL-VPN

permit ip 1.1.0.0 0.0.255.255 1.2.0.0 0.0.255.255

!

ip route 0.0.0.0 0.0.0.0 GigbitEthernet0/0

ip route 1.1.0.0 255.255.0.0 GigabitEthernet0/1

!

interface GigabitEthernet0/0

crypto map S2S_IPSEC_VPN

ip nat outside

!

interface GigabitEthernet0/1

ip address 10.208.9.5 255.255.255.128

ip nat inside

!

 

 

Configuration of Site B:

 

ip nat inside source route-map ROUTEMAP-NAT pool NATPOOL

!

ip nat pool NATPOOL 1.2.0.0 1.2.255.255 netmask 255.255.0.0 type match-host

!

route-map ROUTEMAP-NAT permit 10

match ip address ACL-NAT

!

ip access-list extended ACL-NAT

permit ip 10.208.0.0 0.0.255.255 1.1.0.0 0.0.255.255

!

! VPN encryption domain

ip access-list extended ACL-VPN

permit ip 1.2.0.0 0.0.255.255 1.1.0.0 0.0.255.255

!

interface Dialer1

ip nat outside

crypto map S2S_IPSEC_VPN

!

interface FastEthernet1

ip nat inside

ip address 10.208.76.102 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 1.2.0.0 255.255.0.0 FastEthernet1

 

 

With this configuration, I'm not able to ping from Site A (Lan IP) to the natted IP of Site B and vice versa.

 

Site A#ping 1.2.76.102 so gi0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.2.76.102, timeout is 2 seconds:

Packet sent with a source address of 10.208.9.5

.....

Success rate is 0 percent (0/5)

Site A#sh ip nat translations

Pro Inside global         Inside local          Outside local         Outside global

icmp 1.1.9.5:164          10.208.9.5:164        1.2.76.102:164        1.2.76.102:164

 

However, Site A I can see encaps on the ipsec incrementing but decaps shows the same, but on site B Im seeing incrementing decaps but not encaps. Same results I obtained when pinging site A from site B

 

Site B#ping 1.1.9.5 so fa1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.9.5, timeout is 2 seconds:

Packet sent with a source address of 10.208.76.102

.....

Success rate is 0 percent (0/5)

MY-PJ-DC-UNIFI-20M-S2S-RTR_1#sh ip nat tr

MY-PJ-DC-UNIFI-20M-S2S-RTR_1#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 1.2.76.102:306    10.208.76.102:306  1.1.9.5:306        1.1.9.5:306

 

 

Whenever I do the ping test from site A, I dont see ip nat translation at all on Site B router. Same goes the other way around.

 

I've tried to use the reversible command on the ip nat source. With this command in place on router B, I am able to ping to the natted IP from Router A to Router B (With the condition that I tried to initiate ping traffics from Router B to Router A first. The ping test fails), but I still cant ping from router B to router A.

 

 

Router A results:

 

Router A#ping 1.2.76.102 so gi0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.2.76.102, timeout is 2 seconds:

Packet sent with a source address of 10.208.9.5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

Router A#sh ip nat translations

Pro Inside global         Inside local          Outside local         Outside global

icmp 1.1.9.5:174          10.208.9.5:174        1.2.76.102:174        1.2.76.102:174

 

 

Router B results:

 

Router B#sh run | i nat

ip nat inside source route-map ROUTEMAP-NAT-DKSH-CSSC pool NATPOOL-DKSH-MALAYSIA reversible

 

Router B#ping 1.1.9.5 so fa 1   

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.9.5, timeout is 2 seconds:

Packet sent with a source address of 10.208.76.102

.....

Success rate is 0 percent (0/5)

MY-PJ-DC-UNIFI-20M-S2S-RTR_1#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 1.2.76.102:309    10.208.76.102:309  1.1.9.5:309        1.1.9.5:309

--- 1.2.76.102         10.208.76.102      ---                ---

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jovie.siew Wed, 06/18/2014 - 01:57
User Badges:

 

Any suggestion or ideas would really be appreciated. I've spent a few days but I still cant come to a conclusion on what is wrong eventhough i made tons of research about natting process.

nkarthikeyan Wed, 06/18/2014 - 03:56
User Badges:
  • Gold, 750 points or more

Hi Jovie,

 

Can you try the NAT like the below and try? You can remove the present NAT rules and do this and give a try.

Site-A

======

ip nat inside source static network 10.208.0.0 1.1.0.0 /16 no-alias

Site-B

=====
ip nat inside source static network 10.208.0.0 1.2.0.0 /16 no-alias

 

Also check if the inspection makes the issue @ one end.

 

HTH

 

Regards

Karthik

jovie.siew Wed, 06/18/2014 - 20:15
User Badges:

I've tried static nat, and yeah its working. I can ping both ways.

 

But my concern now is, on router A, we have exisiting VPN traffic to other branches. By doing static nat, I will be natting all traffics from 10.208.0.0 /16 on router A, which in turn affects all other VPN traffics to stop working. 

 

Same goes to router B, we have other VPN setup currently.

 

I've made some research, but it seems that the command "ip nat inside source static network 10.208.0.0 1.1.0.0 /16 no-alias" is not able to support routemap to define what traffics will get natted. This particular command will nat all traffics from 10.208.0.0 /16 to 1.1.0.0/16.

 

I've tried a workaround, Router A we have several server IPs that remote sites will need to access. I can do a 1 to 1 static natting with route map to control the traffics. 

 

On router B, I've tried using dynamic nat so we can control the traffic through route maps (with or without reversible command), but it seems like I can only ping 1 way. 

 

Router A:

ip nat inside source static 10.208.9.5 1.1.9.5 route-map ROUTEMAP-NAT

 

Router B:

ip nat inside source route-map ROUTEMAP-NAT pool NATPOOL

 

Results:

 

Router A#ping 1.2.76.102 so gi0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.2.76.102, timeout is 2 seconds:

Packet sent with a source address of 10.208.9.5 

.....

Success rate is 0 percent (0/5

 

 

Router B#ping 1.1.9.5 so fa1    

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.9.5, timeout is 2 seconds:

Packet sent with a source address of 10.208.76.102 

!!!!!

 

With reversible command, A can ping B but B unable to ping A

 

Actions

This Discussion