Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
0
Helpful
4
Replies

IPSEC NAT Exemptions & Static NAT's

ebanksdhhs
Level 1
Level 1

‎03-10-2004 11:23 AM - edited ‎02-21-2020 01:03 PM

Router A and Router B are IPSEC tunnel peers, using the Internet as the connectivity transport. Routers A & B perform NAT pooling with overload for Internet bound traffic - traffic destined for the remote side of the VPN tunnel is exempted from the NAT overload.

This much works fine. Here's the problem:

Router A also has a few static NAT's to support inbound access of HTTP and SMTP traffic to hosts on the private LAN. It appears that when these hosts on LAN A attempt to contact a host on LAN B via the VPN tunnel, the NAT exemption doesn't take effect - the traffic is sent out to the Internet anyway via the static NAT.

So - the question is, how do I work around this?

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎03-11-2004 03:47 PM

The following sample config will get you going, it has a good explanation of what's happening also:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

0 Helpful

murali.sethuraman
Level 1
Level 1
In response to gfullage

‎04-15-2004 09:14 AM

Hi,

I recreated the same setup in a lab environment but after the route-mapidentifies the packets and send them to the loopback address as the next-hop the packet is never seen in the IPSec tunnel. The router also complains that the next-hop is the same router. If you look at the cco example closely, you will also notice some errors in the loopback IP address.

Is this setup really working and if yes, is this supported from a specific IOS code.

Thanks for your response!

Best regards, Murali

0 Helpful

ebanksdhhs
Level 1
Level 1
In response to murali.sethuraman

‎04-15-2004 11:53 AM

I am using the exact method defined in the document, and it works great. I think you're making the same mistake that I made though. The document refers to building a loopback address of 1.1.1.1 and setting an ip next-hop in the route-map to 1.1.1.2. I assumed that was a misprint, and that they really wanted me to set the ip next-hop to 1.1.1.1 - well, they don't. They really mean 1.1.1.2, even though that IP doesn't exist anywhere. What I believe happens is that the packet is forwarded to the loopback interface, because the router believes that the 1.1.1.0/24 network is directly connected there. The packet is forwarded to 1.1.1.1, with the expectation it will get to 1.1.1.2. 1.1.1.2 doesn't really exist, so the router re-evaluates the packet for forwarding. At that point, there's no NAT to be performed, because the packet isn't leaving a "ip nat inside" interface.

Anyway, it is working for me, but you do have to follow the document exactly.

HTH!

0 Helpful

murali.sethuraman
Level 1
Level 1
In response to ebanksdhhs

‎04-16-2004 05:10 AM

Hi,

Thanks for your reply. I am sure must be making the mistake of understanding the document.Thanks once again for highlighting it. Will try again in my setup.

Have a good day & best regards,

Murali

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents