Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

static NAT with IPSec tunnel. NAT (inside) 0

Hello,

I have configured an ipsec tunnel between two sites, as the one ipsec endpoint I have a PIX and at the other an IOS router with VPN and firewall.

The IPSec tunnel is used between each site but I also need external access to devices behind the repective firewalls FROM the internet.

Devices behind the PIX:

The device has a static natt address used for internet access. I have a firewall rule that allows certain internet origionated traffic through to my hosts natted address. I can also communicate to and from my device through the ipsec tunnel. This traffic is defined as 'NAT (inside) 0' not NATing the traffic, just passing the traffic through from one private network to the other via the tunnel.

Devices behind the IOS router.

Here I find that if I give my host an static nat address, I can accesss the host from the internet and the internet from the host. but i cannot access the other site via the VPN tunnel. it appears that the host address is being NATted before it tries the tunnel and fails because the access-list defining interesting traffic for encryption uses standard private network ranges i.e.

access-list 102 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255

My question is how do I avoid NATting the hosts address behind the IOS router when the traffic is destined for the ipsec tunnel,

Or what is the eqivilant IOS command of NAT (inside) 0

any help would be greatly appreciated.

  • Other Security Subjects
4 REPLIES
New Member

Re: static NAT with IPSec tunnel. NAT (inside) 0

if you are using lan2lan/crypto maps vpn between the router and PIX:

define the traffic in the access-list and reference it in the crypto map

^

crypto map whatever-name

match address 102

^

interface e0 (or whatever your outside int is)

crypto map whatever-name

^

access-list 102 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255

^

ip route 0.0.0.0 0.0.0.0 isp-rtr-ip (or e0 - outside int)

^

#deny nat for the protected traffic and permit for any other destination

access-list 103 deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255

access-list 103 permit ip 10.0.0.0 0.0.0.255 any

ip nat inside source list 103 interface e0 overload (for PAT, or 'pool' if nat)

^

^

but

if you are running ezvpn client on the router:

simply configure split-tunneling on the PIX for that vpngroup

New Member

Re: static NAT with IPSec tunnel. NAT (inside) 0

The problem lies with the static NAT process occuring no matter what the crypto acls define. To get around this you can use policy routing to identify the traffic from the devices with static NATs which need to traverse the VPN and redirect it via a loopback interface that is not participating in the NAT process. This has worked for me in the past. The link below provides good guidelines for implementing this:

http://www.cisco.com/warp/public/707/static.html

New Member

Re: static NAT with IPSec tunnel. NAT (inside) 0

Thanks very much.

This has resoved the issue.

New Member

Re: static NAT with IPSec tunnel. NAT (inside) 0

The easy way you can solve that problem for the IOS router is to create another ACL . I've done and it work fine.

Example

172.16.1.0 is the network address of hosts behin the IOS Router

192.168.10.0 is the network address of hosts behin the PIX Firewall

access-list 115 deny ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 115 permit ip 172.16.1.0 0.0.0.255 any

This will work fine.

TMM

337
Views
3
Helpful
4
Replies