ā04-29-2010 02:01 PM
Hi all together!
I need a 1:1 NAT between a remote Host and a internal host for a IPSec Site-to-Site Tunnel for each of our customers. I need this configuration for a dial-in remote maintenance concept shown in the Picture.
My Problem is, that i have only one public ip address for disposal. At this moment the connection with only one site to site works perfect, but now, how could i implemet my next customers? I read some pages about policy based nat or nat with route-maps, but i can't get one of the examples to work.
Could someone help me with the configuration?
ā04-29-2010 02:09 PM
Hi,
So you have a static NAT for the 1st customer?
ip nat inside source static 10.0.0.1 200.1.1.1
In this way, the router redirects the VPN traffic to the 10.0.0.1 router, correct?
You cannot use another static rule for the same IP, i.e
ip nat inside source static 10.0.0.2 200.1.1.1 --> will overlap with the first rule
You cannot use port redirection, because you need to redirect ESP and ISAKMP on all rules.
I see two solutions:
1. Can you get more public IPs?
2. Can terminate all the tunnels on the router having the public IP (assuming you have control over it)?
- Sorry, I see you're terminating the tunnel on this router.
Federico.
ā05-06-2010 11:58 AM
Hi Federico,
at first, sorry for my late answer but i was looking a few days for an other solution with my cisco router. i get always the same result, it doesnt work with my router.
Now i tryd my luck with iptables and it works fine. I write a small shellscript for easy use. It set a "static nat" based on the source customer peer ip. The script is not perfect and is not the fastest, but it works good ;-)
Thank you for your help!
d-fw-nat-01:~# cat iptables.sh
#!/bin/bash
# 1 Set Variables:
EXTERNAL_INT="eth0" # External Internet interface
EXTERNAL_IP="62.154.213.75" # Internet Interface IP address
# Customer 0
CUSTOMER_PEER[0]="87.157.179.122"
INTERNAL_PEER[0]="172.20.11.12"
# Customer 1
CUSTOMER_PEER[1]="80.153.190.76"
INTERNAL_PEER[1]="172.20.11.13"
# 2 Iptables
FW="/sbin/iptables"
# 3 delete existing Rules
$FW -F
$FW -X
$FW -t nat -F
# 4 Standardrules
$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
# close the external interface for local services
$FW -A INPUT -i $EXTERNAL_INT -j REJECT
$FW -A OUTPUT -o $EXTERNAL_INT -j REJECT
# the loop for setting one rule per customer
typeset -i I
typeset -i ANZ
I=0
ANZ=${#INTERNAL_PEER[*]}
while (( $I < $ANZ ));
do
# in prerouting the destination ip must be rewritten
$FW -A PREROUTING -t nat -i $EXTERNAL_INT -s ${CUSTOMER_PEER[$I]} -j DNAT --to ${INTERNAL_PEER[$I]} ;
# in sourcerouting the source ip must be rewritten
$FW -A POSTROUTING -t nat -o $EXTERNAL_INT -d ${CUSTOMER_PEER[$I]} -j SNAT --to $EXTERNAL_IP ;
I=$I+1;
done
d-fw-nat-01:~#
I changed the german commentar into english
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide