02-28-2006 12:58 PM - edited 02-21-2020 02:17 PM
Hi everyone.
I'am having a Hub Router and 2 Spoke routers with overlapping LAN - IP Address-range.
->RouterA -10.47.1.0/24
/
172.16.1.0-VRFR
\
->RouterB -10.47.1.0/24
I am using route-maps to get the different local host to the different VRF's on the Hub-side (no problems there)
I use the VRF aware IPSEC feature to get to the different Spoke-Networks without doing nat (no problem there)
My key issue is that i need to do nat on the HUB Router - i need to translate the host on the local HUB-LAN into IP-Adresses defined by the Administraors of the different Spoke-LAN's.
These NAT-Ranges could be different / could be overlapping for the different VRF's.
My problem is that I have no idea how to get the traffic NAT'ed properly (after route-map , before IPSEC).
If you have any idea / if you've solved the problem
- i would be grateful for a Hint /Clue / THE Solution.
Thanx in advance
Jarle
Solved! Go to Solution.
03-14-2006 01:51 PM
Hi Jarle,
I finally found a router to do test on this . I'm still trying to make it work with a single site without NAT. No success so far, the crypto map is not even triggered.
Question : what does this line accomplish exactly ?ip route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global
I guess it's only in prevision of your NATing stuff.
In a non NAT environment , do you still need an ip route vrf command ?
What is the result of your sh ip vrf interface ?
Is it ok for the vrf to be associated only with the Loopback interface ?
Any hint on how to troubleshoot this ?
Regarding your last comment , your crypto map should be ok. Packets are NATed before being processed by the crypto engine . See link
http://www.cisco.com/warp/public/556/5.html
I would try
interface Ethernet0/0
ip nat inside
interface Ethernet1/0
ip nat outside
ip nat inside source static network 10.47.1.0 10.47.2.0 /24 vrf VRF1
thanks,
Michel
03-01-2006 02:33 PM
I replied to the other related post in the General group , and just saw this other post...
>>I use the VRF aware IPSEC feature to get to the different Spoke-Networks without doing nat (no problem there)
I am VERY interested to see a working example of this . Could you please post it or email it to me (michel.caissie.remove@cardinal.com). From there i'll work to find the NAT solution
thanks
Michel Caissie
03-02-2006 02:07 AM
Her's a Configuration:
HUB Router with VRF's and IPSEC (without NAT):
----------------------------------------------
version 12.4
hostname VRF-router
ip subnet-zero
ip vrf VRF1
rd 1:101
route-target export 1:101
route-target import 1:101
ip vrf VRF2
rd 2:101
route-target export 2:101
route-target import 2:101
crypto keyring VRFKR1
description Repository of ISAKMP preshared keys for VRF1
pre-shared-key address 172.16.1.2 key SecretKey
crypto keyring VRFKR2
description Repository of ISAKMP preshared keys for VRF2
pre-shared-key address 172.16.1.3 key VerySecretKey
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 14400
crypto isakmp profile ISAKMP-VRF1
vrf VRF1
keyring VRFKR1
match identity address 172.16.1.2 255.255.255.255
crypto isakmp profile ISAKMP-VRF2
vrf VRF2
keyring VRFKR2
match identity address 172.16.1.3 255.255.255.255
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map IPSEC 10 ipsec-isakmp
set peer 172.16.1.2
set transform-set ESP-3DES-MD5
set isakmp-profile ISAKMP-VRF1
match address 2001
crypto map IPSEC 11 ipsec-isakmp
set peer 172.16.1.3
set transform-set ESP-3DES-MD5
set isakmp-profile ISAKMP-VRF2
match address 2002
interface Loopback1
ip address 192.168.1.1 255.255.255.0
ip vrf forwarding VRF1
interface Loopback2
ip address 192.168.2.1 255.255.255.0
ip vrf forwarding VRF2
interface Ethernet0/0
ip vrf receive VRF1
ip vrf receive VRF2
ip address 10.145.48.11 255.255.255.0
ip virtual-reassembly
ip policy route-map VRF-Selection
interface Ethernet1/0
ip address 200.200.x.x.x.255.0
ip virtual-reassembly
crypto map IPSEC
ip classless
ip route 172.16.1.0 255.255.255.0 200.200.200.1
ip route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global
ip route vrf VRF2 10.47.1.0 255.255.255.0 200.200.200.1 global
access-list 21 permit 10.145.48.201
access-list 22 permit 10.145.48.202
access-list 2001 permit ip host 10.145.48.201 10.47.1.0 0.0.0.255
access-list 2001 permit ip 10.47.2.0 0.0.0.255 10.47.1.0 0.0.0.255
access-list 2002 permit ip host 10.145.48.202 10.47.1.0 0.0.0.255
access-list 2002 permit ip host 10.47.3.0 10.47.1.0 0.0.0.255
route-map VRF-Selection permit 10
match ip address 21
set vrf VRF1
route-map VRF-Selection permit 20
match ip address 22
set vrf VRF2
control-plane
line con 0
line aux 0
line vty 0 4
A Spoke router:
----------------------------------------------
host SpokeA
int f 0/0
ip address 172.16.1.2 255.255.255.0
no shut
ip nat outside
exit
int f 0/1
ip address 10.47.1.1 255.255.255.0
no shut
ip nat inside
exit
enable password secret
line vty 0 4
password secret
exit
ip route 0.0.0.0 0.0.0.0 172.16.1.1
! ****is the default gateway to the Hub router *
ip nat inside source list 101 int fastEthernet 0/0
no access-list 101
access-list 101 deny ip 10.47.1.0 0.0.0.255 10.145.48.0 0.0.0.255
access-list 101 deny ip 10.47.1.0 0.0.0.255 10.47.2.0 0.0.0.255
access-list 101 permit ip 10.47.1.0 0.0.0.255 any
crypto isakmp key SecretKey address 200.200.200.200
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 14400
exit
crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
exit
crypto map IPSEC 10 ipsec-isakmp
set peer 200.200.200.200
set transform-set ESP-3DES-MD5
match address 191
exit
no access-list 191
access-list 191 permit ip 10.47.1.0 0.0.0.255 10.145.48.201 0.0.0.0
access-list 191 permit ip 10.47.1.0 0.0.0.255 10.47.2.0 0.0.0.0
int f0/0
crypto map IPSEC
Have fun.. I hope we are able to find a nat solution, giving us the oppertunity to map 10.145.48.0 network on the Hub-Router to 10.47.2.0 address before it is sent through the IPSec tunnel to the spoke.....
03-02-2006 08:21 AM
Thanks
i should be able to start working on this in the next days.
Looking rapidly , you say you want to mask the spoke inside 10.47.1.0 by 10.47.2.0 ?
Have you tried something like;
ip nat outside source static network 10.47.2.0 10.47.1.0 /24 vrf VRF1
If routers are like PIX , NAT will occur before encryption. So you would need to create the static and associate it with the corresponding VRF
03-06-2006 07:12 AM
Hi
We wanted to NAT the network behind the Hub - to predefined IP Addresses given from the Spokes
10.145.48.0 -> 10.47.2.0
10.145.48.0 -> 10.47.3.0
It might be a problem with the crypto-map Access-list.
Thanx so far.
03-14-2006 01:51 PM
Hi Jarle,
I finally found a router to do test on this . I'm still trying to make it work with a single site without NAT. No success so far, the crypto map is not even triggered.
Question : what does this line accomplish exactly ?ip route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global
I guess it's only in prevision of your NATing stuff.
In a non NAT environment , do you still need an ip route vrf command ?
What is the result of your sh ip vrf interface ?
Is it ok for the vrf to be associated only with the Loopback interface ?
Any hint on how to troubleshoot this ?
Regarding your last comment , your crypto map should be ok. Packets are NATed before being processed by the crypto engine . See link
http://www.cisco.com/warp/public/556/5.html
I would try
interface Ethernet0/0
ip nat inside
interface Ethernet1/0
ip nat outside
ip nat inside source static network 10.47.1.0 10.47.2.0 /24 vrf VRF1
thanks,
Michel
03-16-2006 01:33 AM
> ip route vrf VRF 10.47.2.0 255.255.250 200.200.200.1 global
This command routes the VRF2 destination network through the Router-golbal interface to the global external gateway.
I've solved all problems now:
IPSEC NAT - VRF its all working -
I had a problem with the IPSEC access-list.
The IPSEC acces-list must only contain the NATed-Adresses .
Big issue though:
It is NOT possible to do nat to the same Pool or the same static nat for different VRF's at the same time. This is yet not supported on the IOS.
Here is the Inclusive NAT configuration (on the central Router):
Inclusive NAT
ip nat inside source static network 10.145.48.0 10.47.2.0 /24 vrf VRF1
ip nat inside source static network 10.145.48.0 10.47.3.0 /24 vrf VRF2
int g 0/0
ip nat inside
int g 0/1
ip nat outside
no access-list 2001
access-list 2001 permit ip 10.47.2.0 0.0.0.255 10.47.1.0 0.0.0.255
no access-list 2002
access-list 2002 permit ip 10.47.3.0 0.0.0.255 10.47.1.0 0.0.0.255
Hope this helped you as well.
Thanx for your inputs.
03-17-2006 11:16 AM
Jarke,
Glad you have your solution. On my side i finally got it to work in a simple environment without NAT. Adding NAT should be straighforward knowing that it works for you. Though in my case i will mask the spoke subnets , so i will use the nat outside source instead.
But i still have an interrogation regarding the building of the VRF table. As i understand the ip vrf receive command in conjunction with the policy route-map , creates a Connected route in the VRF for the inside subnet. My question is , what exactly is the address you put in the route-map acl ? Does this mean that only that inside address can be part of the VPN ? could it be the whole subnet for both sites? What i want to accomplish is a full lan2lan tunnel , not with just one IP from Hub.
thanks
Michel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: