Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

multiple static nat with one public ip (one customer ip to one internal host)

Hi all together!

I need a 1:1 NAT between a remote Host and a internal host for a IPSec Site-to-Site Tunnel for each of our customers. I need this configuration  for a dial-in remote maintenance concept shown in the Picture.

Unbenannt.PNG

My Problem is, that i have only one public ip address for disposal. At this moment the connection with only one site to site works perfect, but now, how could i implemet my next customers? I read some pages about policy based nat or nat with route-maps, but i can't get one of the examples to work.

Could someone help me with the configuration?

thanks in advance

Max
Everyone's tags (3)
2 REPLIES

Re: multiple static nat with one public ip (one customer ip to o

Hi,

So you have a static NAT for the 1st customer?

ip nat inside source static 10.0.0.1 200.1.1.1

In this way, the router redirects the VPN traffic to the 10.0.0.1 router, correct?

You cannot use another static rule for the same IP, i.e
ip nat inside source static 10.0.0.2 200.1.1.1 --> will overlap with the first rule

You cannot use port redirection, because you need to redirect ESP and ISAKMP on all rules.

I see two solutions:


1. Can you get more public IPs?
2. Can terminate all the tunnels on the router having the public IP (assuming you have control over it)?

- Sorry, I see you're terminating the tunnel on this router.

Federico.

Community Member

Re: multiple static nat with one public ip (one customer ip to o

Hi Federico,

at first, sorry for my late answer but i was looking a few days for an other solution with my cisco router. i get always the same result, it doesnt work with my router.

Now i tryd my luck with iptables and it works fine. I write a small shellscript for easy use. It set a "static nat" based on the source customer peer ip. The script is not perfect and is not the fastest, but it works good ;-)

Thank you for your help!

d-fw-nat-01:~# cat iptables.sh

#!/bin/bash

# 1 Set Variables:

EXTERNAL_INT="eth0"            # External Internet interface

EXTERNAL_IP="62.154.213.75"    # Internet Interface IP address

# Customer 0

CUSTOMER_PEER[0]="87.157.179.122"

INTERNAL_PEER[0]="172.20.11.12"

# Customer 1

CUSTOMER_PEER[1]="80.153.190.76"

INTERNAL_PEER[1]="172.20.11.13"

# 2 Iptables

FW="/sbin/iptables"

# 3 delete existing Rules

$FW -F

$FW -X

$FW -t nat -F

# 4 Standardrules

$FW -P INPUT   ACCEPT

$FW -P FORWARD ACCEPT

$FW -P OUTPUT  ACCEPT

# close the external interface for local services

$FW -A INPUT -i $EXTERNAL_INT -j REJECT

$FW -A OUTPUT  -o $EXTERNAL_INT -j REJECT

# the loop for setting one rule per customer

typeset -i I

typeset -i ANZ

I=0

ANZ=${#INTERNAL_PEER[*]}

while (( $I < $ANZ ));

do

# in prerouting the destination ip must be rewritten

$FW -A PREROUTING -t nat -i $EXTERNAL_INT -s ${CUSTOMER_PEER[$I]} -j DNAT --to ${INTERNAL_PEER[$I]} ;

# in sourcerouting the source ip must be rewritten

$FW -A POSTROUTING -t nat -o $EXTERNAL_INT -d ${CUSTOMER_PEER[$I]} -j SNAT --to $EXTERNAL_IP ;

I=$I+1;

done

d-fw-nat-01:~#

I changed the german commentar into english

1554
Views
0
Helpful
2
Replies
CreatePlease to create content