Announcement

Collapse
No announcement yet.

Simultaneous NAT overload (internet) and NAT overlapping for IPsec

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Simultaneous NAT overload (internet) and NAT overlapping for IPsec

    Hi all,

    Have been bashing my head against this for the last couple of days and was wondering if anyone might be able to take a look at the config and point where I might be approaching this wrong...

    My current lab is configured as:

    Two sites (SITE1/SITE2) connected via a third third router (ISP) - There is a pure IPsec tunnel between SITE1 and SITE2. Both SITE1 and SITE2 have overlapping IP addresses (SITE1 uses 10.1.1.0/24 and SITE2 uses 10.0.0.0/16 and 192.168.80.0/24 - however, we're only presented with access to 10.81.0.0/18 via the IPsec VPN)

    Okay... Overlapping NAT's - I need to remap what each end see's as its destination - SITE2 sees SITE1 as 192.168.40.0/24 (rather than 10.1.1.0/24) and SITE1 see's SITE2 without translation (as we'll never be talking to their 10.0.0.0/16 anyway, only 10.81.0.0/18 which doesn't match our internal 10.1.1.0/24 subnet)

    SITE1 also has an internet connection via ISP1 which is used to simultate access to the internet via a NAT overload statement (multiple machines in SITE1 need to access the internet via a single internet IP.

    SITE1's internal IP is 10.1.1.1/24
    SITE1's external IP is 203.1.1.2/24

    ISP1's link to SITE1 is on 203.1.1.1/24
    ISP1's link to SITE2 is on 203.2.2.1/24

    SITE2's internal IP's are 10.81.0.1/18 and 192.168.80.1/24.
    SITE2's external IP is 203.2.2.2/24

    IPsec traffic between workstations located within SITE1 to workstations within SITE2 is fine (on either 192.168.80.0/24 or 10.81.0.0/18 subnets) however, I'm unable to access the internet via the NAT overload from SITE1.

    Your assistance is muchly appreciated - I'm sure it can be done and I'm positive I'm well on the way to making it happen, but for the life of me, I just can't make that last 'step' to actually having it work.



    -JT
    Attached Files

  • #2
    Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

    Well since you nat pool only includes the ip of the outbound nat interface why not just overload on that interface.

    Try removing:

    ip nat pool NATPOOL-FOR-INTERNET 203.1.1.2 203.1.1.2 prefix-length 30

    ip nat inside source list INTERNAL-OVERLOAD-TO-INTERNET pool NATPOOL-FOR-INTERNET overload

    Replace with:

    ip nat inside source list INTERNAL-OVERLOAD-TO-INTERNET interface fa0/0 overload
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

      Thanks for the tip auglan,

      Thats what I'd originally had configured but had literally tried every combination I'd thought of (which is how I ended up where I am with the config)

      Unfortunately, didn't make any difference at all...

      Pinging from a PC within SITE1 across to SITE2 (via the VPN) - full connectivity
      Pinging from a PC within SITE1 to say, the external IP of SITE2 (or 203.2.2.1, the ISP side of the ISP-SITE2 link) still returns nothing (.....)

      Results of "debug ip nat detailed" on SITE1 when attempting to ping from SITE1PC (10.1.1.10)

      Code:
      SITE1#
      *Mar  1 02:12:05.459: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [30]
      *Mar  1 02:12:05.463: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [30]
      *Mar  1 02:12:05.467: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [30]
      *Mar  1 02:12:05.603: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [30]
      *Mar  1 02:12:05.607: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [30]
      *Mar  1 02:12:05.663: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [31]
      *Mar  1 02:12:05.663: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [31]
      *Mar  1 02:12:05.675: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [31]
      *Mar  1 02:12:05.679: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [31]
      *Mar  1 02:12:05.691: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [32]
      *Mar  1 02:12:05.691: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [32]
      *Mar  1 02:12:05.707: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [32]
      *Mar  1 02:12:05.711: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [32]
      *Mar  1 02:12:05.723: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [33]
      *Mar  1 02:12:05.723: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [33]
      *Mar  1 02:12:05.731: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [33]
      *Mar  1 02:12:05.735: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [33]
      *Mar  1 02:12:05.751: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [34]
      *Mar  1 02:12:05.751: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [34]
      *Mar  1 02:12:05.791: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [34]
      *Mar  1 02:12:05.795: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [34]
      As we can see, 10.1.1.10 is being translated to 192.168.40.10 and then passed via IPsec to 10.81.0.10 (SITE2PC) and the same occurs coming back.

      However, when attempting to ping 'an internet site' (eg, SITE2's interface on ISP1) its "also" translating the addresses across to 192.168.40.10...

      Code:
      *Mar  1 02:12:19.095: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [35]
      *Mar  1 02:12:19.099: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [35]
      *Mar  1 02:12:19.099: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [35]
      *Mar  1 02:12:21.091: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [36]
      *Mar  1 02:12:21.091: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [36]
      *Mar  1 02:12:23.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [37]
      *Mar  1 02:12:23.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [37]
      *Mar  1 02:12:25.055: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [38]
      *Mar  1 02:12:25.055: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [38]
      *Mar  1 02:12:27.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [39]
      *Mar  1 02:12:27.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [39]
      I'm guessing this is definitely the issue - eg, it appears to be attempting to translate ALL traffic from 10.1.1.x to 192.168.40.x (where x be 10 for this test) although it should ONLY be translating 10.1.1.x to 192.168.40.x for traffic destined to 192.168.80.0/24 or 10.81.0.0/18....

      Needless to say, updating the INTERNAL-OVERLOAD-TO-INTERNET ACL to allow for 192.168.40.0 doesn't work (and I dont believe it should double NAT (NAT to 192.168.40.10 and then NAT overload as 203.1.1.2)

      Something to do with the route maps maybe?

      Anyone know the differences between using "ip policy route-map" on the internal interface versus "ip nat inside source route-map...." at NAT level?

      Obviously, pinging the external interface of SITE1 from SITE1PC (eg, 203.1.1.2 from 10.1.1.10) works fine - however, I can't ping the ISP side of the ISP-SITE1 link (203.1.1.1)


      -JT
      Last edited by JustinTwiss; 20th May 2010, 14:04. Reason: Update [quote]s to [code]s

      Comment


      • #4
        Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

        ip policy enables policy based routing. With PBR it ignores what the routing table says and routes how the route-map is configured in the PBR policy. The route-map with nat just matches traffic to be natted. It also will create an extended nat entry in the translation table
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

          When using nat statements with an ACL and no route-map or overload it creates a simple translation entry which includes only inside translation information but no external translation information or ports. What may be happening is when you send traffic across the vpn it is creating a simple entry. The problem is when you try to get out to the internet there is already a nat entry in the table for that source address and it may be trying to use that one instead. Here is a link on how NAT works with ACLs, route-maps etc and how the translations are different between the two.

          http://www.cisco.com/application/pdf...t_routemap.pdf
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

            Hi Auglan,

            Thats exactly what I found during one of my config's earlier when I was trying to get it working.

            If I cleared all NAT translations on SITE1 and pinged from SITE1PC to say ISP, all great - as soon as i brought up any traffic across the VPN's the external/overload NAT would immediately stop working.

            (and yes, there was a translation from 10.1.1.10 -> 192.168.40.10 in the NAT table - clearing this restored connectivitiy to the internet, well, at least until I accessed the VPN again)


            Any way around this??


            -JT

            Comment


            • #7
              Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

              Instead of just referencing an ACL for the VPN nat statements you could try making a route-map and referencing your acl in the route map and use the route-map in your nat statements instead of the acl. That should create an extended nat translation.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

                Thanks for that auglan,

                Given my limited experience with route-maps so far (mainly related to forcing IPsec interesting traffic not to be NATted via a standard overload) would you be able to suggest a route-map and ACL's that should be configured to meet my requirements?


                -JT

                Comment


                • #9
                  Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

                  Try this:

                  For
                  ip access-list extended INTERNAL-NAT-FOR-SITE2COMM
                  permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
                  permit ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255
                  deny ip any any log

                  route-map INTERNAL-NAT-SITE2COMM permit 10
                  match ip address INTERNAL-NAT-FOR-SITE2COMM (Matches the above ACL in the route-map)
                  ip nat inside source route-map INTERNAL-NAT-SITE2COMM pool NATPOOL-FOR-SITE2COMM (references the route-map in the nat statement

                  Then you can remove - ip nat inside source list INTERNAL-NAT-FOR-SITE2COMM pool NATPOOL-FOR-SITE2COMM

                  As always backup configs before making changes.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

                    Auglan, I could kiss you

                    Works perfectly as advertised - thank you very much

                    I even understand what you've done - Thank you thank you thank you as my daughter would say


                    -JT

                    Comment


                    • #11
                      Re: Simultaneous NAT overload (internet) and NAT overlapping for IPsec

                      No problem, glad I could help.
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment

                      Working...
                      X