11-07-2014 04:18 PM - edited 03-07-2019 09:25 PM
Hello,
I am trying to configure PAT from an internal network to an external network, but the translated source IP address must be one from a loopback interface (not from the actual outside interface).
The network looks like this: https://i.imgur.com/A8SuQec.png
PC1 and PC2 need to have access to Internet, to each other (through IPsec tunnel) and to PC3 (through IPIP/IPsec transport). PC3 will not initiate connections to PC1 nor to PC2.
R1 only advertises 172.16.0.0/24 and 10.0.0.0/30 to R3. R1 does NOT advertise 192.168.x.x to R3. That cannot be changed, that is why I need to change the source IP address from 192.168.x.x to 172.16.0.x before sending packets to PC3.
IPsec and routing is working correctly:
- PC1 and PC2 can communicate through IPsec
- Tunnel and BGP session between R1 and R3 are up, routes are exchanged as expected
- R1 can ping PC3 with source address 172.16.0.1
However, when I ping PC3 from PC1 or PC2, I see packets coming with source address = 192.168.0.2 or 192.168.1.2 .
Is there a way to do this ?
Solved! Go to Solution.
11-09-2014 08:16 PM
You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:
ip access-list extended ACL_NAT permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255 ! ip nat inside source list ACL_NAT interface Loopback0 overload
Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.
Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.
11-09-2014 08:16 PM
You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:
ip access-list extended ACL_NAT permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255 ! ip nat inside source list ACL_NAT interface Loopback0 overload
Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.
Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.
11-10-2014 01:13 PM
Thanks, I found a mistake in my configuration: I had put "ip nat outside" on the loopback interface instead of the tunnel interface.
Thanks!
11-10-2014 01:29 PM
Normally, the "ip nat outside" statement goes on the outbound interface for the traffic. I've never needed it on a loopback, but if it's working, cool!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: