cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6106
Views
5
Helpful
2
Comments
Jacopo Belcredi
Level 1
Level 1

Symptoms

The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).

The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.

I couldn't connect to the host.

Same result trying to connect to ports involved in port forwarding.

Everything excluded by static NAT or port-forwarding was reachable instead.

Diagnosis

I noticed that the router performed nat on return traffic when I tried to reach hosts involved in static nat through vpn.

This was because i specified a no-nat rule, but it was applied only to the global nat rule, while static nat and port-forwarding had their own rules fixed static in nat table.

 

Solution

This is the configuration I used to fix this situation:

 

STATIC NAT IP <-> IP
!
ip access-list extended NAT
 deny   ip [local-network] [local-wildcard] [vpn-network] [vpn-wildcard]
 permit ip [local-network] [local-wildcard] any
!
route-map NAT permit 10
 match ip address NAT
!
ip nat inside source static [local-ip] [global-ip] route-map NAT

 


PORT-FORWARDING IP:PORT <-> IP:PORT
!
ip access-list extended nonat-vpn
 deny tcp host [host-ip] eq [port] [vpn-network] [vpn-wildcard]
 permit tcp host [host-ip] eq [port]  any
!
route-map nonat-vpn permit 10
 match ip address nonat-vpn
!
ip nat inside source static tcp [local-ip] [local-port] [global-ip] [global-port] route-map nonat-vpn extendable

Comments
sthiffeault
Level 1
Level 1

Excellent explanation of the problem with a solution that works.  What if the "Port-forwarding" NAT statement is done with the interface name instead of a static global-IP. (Internet access is DHCP).  In that case we cannot add a route-map at the end of the NAT statement.  Any ideas how to solve this ?

 

Thanks,

SimonT

Jacopo Belcredi
Level 1
Level 1

Hi Simon,

 

IOS doesn't allow you to configure route-map if you don't specify an IP address in a NAT rule...

 

I tried this configuration in a lab environment, maybe can help you:

 

### INSIDE INTERFACE ###
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0 secondary //this IP emulates the static nat host
 ip address 10.1.1.254 255.255.255.0
 ip nat inside

### OUTSIDE INTERFACE - static host nat performed on this interface ###
interface FastEthernet0/1
 ip address 20.1.1.1 255.255.255.252
 ip nat outside

 

### Loopback0 interface - global NAT performed on this interface ###

interface Loopback0
 ip address 30.3.3.3 255.255.255.255

 

### GLOBAL NAT ACL ###
ip access-list extended nat
 deny   ip host 10.1.1.1 any
 permit ip 10.1.1.0 0.0.0.255 any


### Global NAT ###
ip nat inside source list nat interface Loopback0 overload

R1#ping 10.0.0.1 source 10.1.1.254
[...]
R1#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
icmp 30.3.3.3:15       10.1.1.254:15      10.0.0.1:15        10.0.0.1:15

 

 

### ACL to NAT SINGLE HOST ###
ip access-list extended NAT-HOST
 deny   ip host 10.1.1.1 10.0.0.0 0.255.255.255  //10.0.0.0/8 -> vpn remote net
 permit ip host 10.1.1.1 any

### Single host NAT ###
ip nat inside source list NAT-HOST interface FastEthernet0/1 overload


R1#ping 10.0.0.1 source 10.1.1.1
[...]
R1#sh ip nat tr
R1#
R1#ping 200.0.0.1 source 10.1.1.1
[...]
R1#sh ip nat tr
Pro Inside global      Inside local       Outside local      Outside global
icmp 20.1.1.1:17       10.1.1.1:17        200.0.0.1:17       200.0.0.1:17

 

I hope this configuration con be helpful.

 

Jacopo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: