Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT with source address on Loopback interface

Hello,

I am trying to configure PAT from an internal network to an external network, but the translated source IP address must be one from a loopback interface (not from the actual outside interface).

The network looks like this: https://i.imgur.com/A8SuQec.png

PC1 and PC2 need to have access to Internet, to each other (through IPsec tunnel) and to PC3 (through IPIP/IPsec transport). PC3 will not initiate connections to PC1 nor to PC2.

 

R1 only advertises 172.16.0.0/24 and 10.0.0.0/30 to R3. R1 does NOT advertise 192.168.x.x to R3. That cannot be changed, that is why I need to change the source IP address from 192.168.x.x to 172.16.0.x before sending packets to PC3.

IPsec and routing is working correctly:

- PC1 and PC2 can communicate through IPsec

- Tunnel and BGP session between R1 and R3 are up, routes are exchanged as expected

- R1 can ping PC3 with source address 172.16.0.1

However, when I ping PC3 from PC1 or PC2, I see packets coming with source address = 192.168.0.2 or 192.168.1.2 .

Is there a way to do this ?

1 ACCEPTED SOLUTION

Accepted Solutions

You can NAT the entire 192

You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:

ip access-list extended ACL_NAT
 permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255
!
ip nat inside source list ACL_NAT interface Loopback0 overload

Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.

Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.

 

 

3 REPLIES

You can NAT the entire 192

You can NAT the entire 192.168.0.0/24 subnet to the loopback interface with NAT overloading like this:

ip access-list extended ACL_NAT
 permit 192.168.0.0 0.0.0.255 172.16.254.0 0.0.0.255
!
ip nat inside source list ACL_NAT interface Loopback0 overload

Everything on the 192.168.0.0/24 network will appear to come from 172.16.0.1 when connecting to 172.16.254.0/24.

Obviously, this is a general example, but it's the best I can do without knowing how your NAT is currently configured. It shouldn't be too difficult to work into an existing configuration.

 

 

New Member

Thanks, I found a mistake in

Thanks, I found a mistake in my configuration: I had put "ip nat outside" on the loopback interface instead of the tunnel interface.

Thanks!

Normally, the "ip nat outside

Normally, the "ip nat outside" statement goes on the outbound interface for the traffic. I've never needed it on a loopback, but if it's working, cool!

311
Views
0
Helpful
3
Replies