cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1666
Views
0
Helpful
3
Replies

PAT with source address on Loopback interface

Fab T
Level 1
Level 1

Hello,

I am trying to configure PAT from an internal network to an external network, but the translated source IP address must be one from a loopback interface (not from the actual outside interface).

The network looks like this: https://i.imgur.com/A8SuQec.png

PC1 and PC2 need to have access to Internet, to each other (through IPsec tunnel) and to PC3 (through IPIP/IPsec transport). PC3 will not initiate connections to PC1 nor to PC2.

 

R1 only advertises 172.16.0.0/24 and 10.0.0.0/30 to R3. R1 does NOT advertise 192.168.x.x to R3. That cannot be changed, that is why I need to change the source IP address from 192.168.x.x to 172.16.0.x before sending packets to PC3.

IPsec and routing is working correctly:

- PC1 and PC2 can communicate through IPsec

- Tunnel and BGP session between R1 and R3 are up, routes are exchanged as expected

- R1 can ping PC3 with source address 172.16.0.1

However, when I ping PC3 from PC1 or PC2, I see packets coming with source address = 192.168.0.2 or 192.168.1.2 .

Is there a way to do this ?

1 Accepted Solution

Accepted Solutions

ghostinthenet
Level 7
Level 7

You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:

ip access-list extended ACL_NAT
 permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255
!
ip nat inside source list ACL_NAT interface Loopback0 overload

Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.

Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.

 

 

View solution in original post

3 Replies 3

ghostinthenet
Level 7
Level 7

You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:

ip access-list extended ACL_NAT
 permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255
!
ip nat inside source list ACL_NAT interface Loopback0 overload

Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.

Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.

 

 

Thanks, I found a mistake in my configuration: I had put "ip nat outside" on the loopback interface instead of the tunnel interface.

Thanks!

Normally, the "ip nat outside" statement goes on the outbound interface for the traffic. I've never needed it on a loopback, but if it's working, cool!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco