Solved: Re: VRF aware IPSEC and NAT

jsteffensen · ‎02-28-2006

Hi everyone.

I'am having a Hub Router and 2 Spoke routers with overlapping LAN - IP Address-range.

->RouterA -10.47.1.0/24

/

172.16.1.0-VRFR

\

->RouterB -10.47.1.0/24

I am using route-maps to get the different local host to the different VRF's on the Hub-side (no problems there)

I use the VRF aware IPSEC feature to get to the different Spoke-Networks without doing nat (no problem there)

My key issue is that i need to do nat on the HUB Router - i need to translate the host on the local HUB-LAN into IP-Adresses defined by the Administraors of the different Spoke-LAN's.

These NAT-Ranges could be different / could be overlapping for the different VRF's.

My problem is that I have no idea how to get the traffic NAT'ed properly (after route-map , before IPSEC).

If you have any idea / if you've solved the problem

- i would be grateful for a Hint /Clue / THE Solution.

Thanx in advance

Jarle

michelcaissie · ‎03-14-2006

Hi Jarle,

I finally found a router to do test on this . I'm still trying to make it work with a single site without NAT. No success so far, the crypto map is not even triggered.

Question : what does this line accomplish exactly ?ip route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global

I guess it's only in prevision of your NATing stuff.

In a non NAT environment , do you still need an ip route vrf command ?

What is the result of your sh ip vrf interface ?

Is it ok for the vrf to be associated only with the Loopback interface ?

Any hint on how to troubleshoot this ?

Regarding your last comment , your crypto map should be ok. Packets are NATed before being processed by the crypto engine . See link

http://www.cisco.com/warp/public/556/5.html

I would try

interface Ethernet0/0

ip nat inside

interface Ethernet1/0

ip nat outside

ip nat inside source static network 10.47.1.0 10.47.2.0 /24 vrf VRF1

thanks,

Michel

View solution in original post

michelcaissie · ‎03-01-2006

I replied to the other related post in the General group , and just saw this other post...

>>I use the VRF aware IPSEC feature to get to the different Spoke-Networks without doing nat (no problem there)

I am VERY interested to see a working example of this . Could you please post it or email it to me (michel.caissie.remove@cardinal.com). From there i'll work to find the NAT solution

thanks

Michel Caissie

jsteffensen · ‎03-02-2006

Her's a Configuration:

HUB Router with VRF's and IPSEC (without NAT):

----------------------------------------------

version 12.4

hostname VRF-router

ip subnet-zero

ip vrf VRF1

rd 1:101

route-target export 1:101

route-target import 1:101

ip vrf VRF2

rd 2:101

route-target export 2:101

route-target import 2:101

crypto keyring VRFKR1

description Repository of ISAKMP preshared keys for VRF1

pre-shared-key address 172.16.1.2 key SecretKey

crypto keyring VRFKR2

description Repository of ISAKMP preshared keys for VRF2

pre-shared-key address 172.16.1.3 key VerySecretKey

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 14400

crypto isakmp profile ISAKMP-VRF1

vrf VRF1

keyring VRFKR1

match identity address 172.16.1.2 255.255.255.255

crypto isakmp profile ISAKMP-VRF2

vrf VRF2

keyring VRFKR2

match identity address 172.16.1.3 255.255.255.255

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map IPSEC 10 ipsec-isakmp

set peer 172.16.1.2

set transform-set ESP-3DES-MD5

set isakmp-profile ISAKMP-VRF1

match address 2001

crypto map IPSEC 11 ipsec-isakmp

set peer 172.16.1.3

set transform-set ESP-3DES-MD5

set isakmp-profile ISAKMP-VRF2

match address 2002

interface Loopback1

ip address 192.168.1.1 255.255.255.0

ip vrf forwarding VRF1

interface Loopback2

ip address 192.168.2.1 255.255.255.0

ip vrf forwarding VRF2

interface Ethernet0/0

ip vrf receive VRF1

ip vrf receive VRF2

ip address 10.145.48.11 255.255.255.0

ip virtual-reassembly

ip policy route-map VRF-Selection

interface Ethernet1/0

ip address 200.200.x.x.x.255.0

ip virtual-reassembly

crypto map IPSEC

ip classless

ip route 172.16.1.0 255.255.255.0 200.200.200.1

ip route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global

ip route vrf VRF2 10.47.1.0 255.255.255.0 200.200.200.1 global

access-list 21 permit 10.145.48.201

access-list 22 permit 10.145.48.202

access-list 2001 permit ip host 10.145.48.201 10.47.1.0 0.0.0.255

access-list 2001 permit ip 10.47.2.0 0.0.0.255 10.47.1.0 0.0.0.255

access-list 2002 permit ip host 10.145.48.202 10.47.1.0 0.0.0.255

access-list 2002 permit ip host 10.47.3.0 10.47.1.0 0.0.0.255

route-map VRF-Selection permit 10

match ip address 21

set vrf VRF1

route-map VRF-Selection permit 20

match ip address 22

set vrf VRF2

control-plane

line con 0

line aux 0

line vty 0 4

A Spoke router:

----------------------------------------------

host SpokeA

int f 0/0

ip address 172.16.1.2 255.255.255.0

no shut

ip nat outside

exit

int f 0/1

ip address 10.47.1.1 255.255.255.0

no shut

ip nat inside

exit

enable password secret

line vty 0 4

password secret

exit

ip route 0.0.0.0 0.0.0.0 172.16.1.1

! ****is the default gateway to the Hub router *

ip nat inside source list 101 int fastEthernet 0/0

no access-list 101

access-list 101 deny ip 10.47.1.0 0.0.0.255 10.145.48.0 0.0.0.255

access-list 101 deny ip 10.47.1.0 0.0.0.255 10.47.2.0 0.0.0.255

access-list 101 permit ip 10.47.1.0 0.0.0.255 any

crypto isakmp key SecretKey address 200.200.200.200

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 14400

exit

crypto ipsec security-association lifetime seconds 3600

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

exit

crypto map IPSEC 10 ipsec-isakmp

set peer 200.200.200.200

set transform-set ESP-3DES-MD5

match address 191

exit

no access-list 191

access-list 191 permit ip 10.47.1.0 0.0.0.255 10.145.48.201 0.0.0.0

access-list 191 permit ip 10.47.1.0 0.0.0.255 10.47.2.0 0.0.0.0

int f0/0

crypto map IPSEC

Have fun.. I hope we are able to find a nat solution, giving us the oppertunity to map 10.145.48.0 network on the Hub-Router to 10.47.2.0 address before it is sent through the IPSec tunnel to the spoke.....

michelcaissie · ‎03-02-2006

Thanks

i should be able to start working on this in the next days.

Looking rapidly , you say you want to mask the spoke inside 10.47.1.0 by 10.47.2.0 ?

Have you tried something like;

ip nat outside source static network 10.47.2.0 10.47.1.0 /24 vrf VRF1

If routers are like PIX , NAT will occur before encryption. So you would need to create the static and associate it with the corresponding VRF

jsteffensen · ‎03-06-2006

Hi

We wanted to NAT the network behind the Hub - to predefined IP Addresses given from the Spokes

10.145.48.0 -> 10.47.2.0

10.145.48.0 -> 10.47.3.0

It might be a problem with the crypto-map Access-list.

Thanx so far.

michelcaissie · ‎03-14-2006

Hi Jarle,

I finally found a router to do test on this . I'm still trying to make it work with a single site without NAT. No success so far, the crypto map is not even triggered.

Question : what does this line accomplish exactly ?ip route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global

I guess it's only in prevision of your NATing stuff.

In a non NAT environment , do you still need an ip route vrf command ?

What is the result of your sh ip vrf interface ?

Is it ok for the vrf to be associated only with the Loopback interface ?

Any hint on how to troubleshoot this ?

Regarding your last comment , your crypto map should be ok. Packets are NATed before being processed by the crypto engine . See link

http://www.cisco.com/warp/public/556/5.html

I would try

interface Ethernet0/0

ip nat inside

interface Ethernet1/0

ip nat outside

ip nat inside source static network 10.47.1.0 10.47.2.0 /24 vrf VRF1

thanks,

Michel

jsteffensen · ‎03-16-2006

> ip route vrf VRF 10.47.2.0 255.255.250 200.200.200.1 global

This command routes the VRF2 destination network through the Router-golbal interface to the global external gateway.

I've solved all problems now:

IPSEC NAT - VRF its all working -

I had a problem with the IPSEC access-list.

The IPSEC acces-list must only contain the NATed-Adresses .

Big issue though:

It is NOT possible to do nat to the same Pool or the same static nat for different VRF's at the same time. This is yet not supported on the IOS.

Here is the Inclusive NAT configuration (on the central Router):

Inclusive NAT

ip nat inside source static network 10.145.48.0 10.47.2.0 /24 vrf VRF1

ip nat inside source static network 10.145.48.0 10.47.3.0 /24 vrf VRF2

int g 0/0

ip nat inside

int g 0/1

ip nat outside

no access-list 2001

access-list 2001 permit ip 10.47.2.0 0.0.0.255 10.47.1.0 0.0.0.255

no access-list 2002

access-list 2002 permit ip 10.47.3.0 0.0.0.255 10.47.1.0 0.0.0.255

Hope this helped you as well.

Thanx for your inputs.

michelcaissie · ‎03-17-2006

Jarke,

Glad you have your solution. On my side i finally got it to work in a simple environment without NAT. Adding NAT should be straighforward knowing that it works for you. Though in my case i will mask the spoke subnets , so i will use the nat outside source instead.

But i still have an interrogation regarding the building of the VRF table. As i understand the ip vrf receive command in conjunction with the policy route-map , creates a Connected route in the VRF for the inside subnet. My question is , what exactly is the address you put in the route-map acl ? Does this mean that only that inside address can be part of the VPN ? could it be the whole subnet for both sites? What i want to accomplish is a full lan2lan tunnel , not with just one IP from Hub.

thanks

Michel