Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
2
Replies

Issue with VPN/NAT ??

Go to solution
ribin.jones
Level 1
Level 1

‎12-07-2009 07:17 PM - edited ‎03-04-2019 06:54 AM

Hi,

I am at my Central office and we have two branch offices. We have site to site VPN from the two branch offices to the Central office. We have some servers in the Central office LAN for outside access to our clients and also for access from our branch offices. Our clients access these servers using public IP which is NAted to this server. Ideally, our branch office people should be able to access this server using private IP.

For example, we have an application server with IP 192.168.50.50 whose 443 port is NATed. This server is being accessed by our clients through WAN and meanwhile, we are not able to pull out the application from our branch offices via VPN. From the branch office LAN I am able to ping this server 192.168.50.50, but the issue is while accessing the 443 port which is NATed. I can access other ports which are not NATed of the same server from my branch office. Any idea where I am wrong?

Thanks for any help

- Ribin    

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ricardo Prado Rueda
Cisco Employee
Cisco Employee

‎12-08-2009 07:48 AM

Hi Ribin,

   Is the VPN server an IOS router? Based on your description this is most likely the case. The problem here is that based on the NAT order of operation the static port translation is taking place before the traffic can be encrypted. What needs to be done here is either configure the static NAT rule to be conditional (with a route-map), or add a PBR policy to avoid NAT translation when the traffic is meant for the remote network:

* Conditional NAT

   Let's say that the remote network is 10.10.10.0/24, you setup a route-map in the folowing way:

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

ip nat inside source static tcp 192.168.50.50 443 X.X.X.X 443 route-map NONAT

   This change will prevent NAT from happening when the destination of the traffic is through a VPN tunnel (remote network 10.10.10.0/24). I don't recommend this option a lot, since I have seen several problems when adding a route-map to a static port translation rule, however is the easiest setup.

* NONAT PBR

   Assuming that the remote network is 10.10.10.0/24

interface loopback0
ip address 10.255.255.1 255.255.255.252   <<<<<< ANY ADDRESS NOT WITHIN YOUR NETWORK

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

route-map NONAT 10
match ip address NONAT
set ip next-hop 10.255.255.2


interface
ip policy route-map NONAT

   This change will send all traffic from the server meant to the remote VPN network to the loopback interface. The loopback interface is not tagged as NAT INSIDE or OUTSIDE, therefore the static NAT translation rule is ignored (only for the traffic selected by access-list 199) and the traffic gets successfully encrypted.

   Regards,

Rick.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ricardo Prado Rueda
Cisco Employee
Cisco Employee

‎12-08-2009 07:48 AM

Hi Ribin,

   Is the VPN server an IOS router? Based on your description this is most likely the case. The problem here is that based on the NAT order of operation the static port translation is taking place before the traffic can be encrypted. What needs to be done here is either configure the static NAT rule to be conditional (with a route-map), or add a PBR policy to avoid NAT translation when the traffic is meant for the remote network:

* Conditional NAT

   Let's say that the remote network is 10.10.10.0/24, you setup a route-map in the folowing way:

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

ip nat inside source static tcp 192.168.50.50 443 X.X.X.X 443 route-map NONAT

   This change will prevent NAT from happening when the destination of the traffic is through a VPN tunnel (remote network 10.10.10.0/24). I don't recommend this option a lot, since I have seen several problems when adding a route-map to a static port translation rule, however is the easiest setup.

* NONAT PBR

   Assuming that the remote network is 10.10.10.0/24

interface loopback0
ip address 10.255.255.1 255.255.255.252   <<<<<< ANY ADDRESS NOT WITHIN YOUR NETWORK

access-list 199 permit tcp host 192.168.50.50 eq 443 10.10.10.0 0.0.0.255

route-map NONAT permit 10

match ip address 199

route-map NONAT 10
match ip address NONAT
set ip next-hop 10.255.255.2


interface
ip policy route-map NONAT

   This change will send all traffic from the server meant to the remote VPN network to the loopback interface. The loopback interface is not tagged as NAT INSIDE or OUTSIDE, therefore the static NAT translation rule is ignored (only for the traffic selected by access-list 199) and the traffic gets successfully encrypted.

   Regards,

Rick.

0 Helpful

Go to solution
ribin.jones
Level 1
Level 1
In response to Ricardo Prado Rueda

‎12-09-2009 03:50 AM

Thanks Rick....I used the first method and it worked absolutely fine...

- Ribin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card