Announcement

Collapse
No announcement yet.

Help! disable NAT between two LANs (over IPSec)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help! disable NAT between two LANs (over IPSec)

    Hello,

    We have two Cisco 1840 Routers. One is at our main office. The other one is at our branch office. The main office uses the following network: 10.0.0.128/255.255.255.128
    The branch office uses 10.0.0.0/255.255.255.128

    The internal router address on site A (Main Office) is: 10.0.0.254
    The internal router address on site B (Branch Office) is: 10.0.0.1



    We have an IPSec tunnel between the two routers.
    In the main office I have an IP pool which I use with NAT (or should I say PAT) to publish web servers on port 80 and 443.

    When people from the branch office try to access the servers which I publish to the world, they can't.
    I suspect that's because the NAT.
    How can I configure the router not to NAT when sending packets to the tunnel?


    Thank you in advance

  • #2
    Re: Help! disable NAT between two LANs (over IPSec)

    If you've a tunnel between the 2 sites, they're both 'internal' subnets, so your branch office traffic shouldn't be going out to the internet and then back into Main to access the servers, unless your tunnel can't handle the traffic.

    Can you give any more info about how both sites access the Internet vs any internal resources (domain logons, file shares, etc.)?? Do both sites have their own DCs and file shares? Do both sites have their own internet access or does one site share that through the tunnel?

    Even router configs would help (properly sanitized, of course).
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Help! disable NAT between two LANs (over IPSec)

      Please post a config of the routers.
      CCNA, CCNA-Security, CCNP
      CCIE Security (In Progress)

      Comment


      • #4
        Re: Help! disable NAT between two LANs (over IPSec)

        Please post a config of the routers. Also include the private ip's of the servers. I assume you already have a no nat acl configured for the remote networks

        No nat ACL with Nat Policy

        access-list 100 deny ip 10.0.0.0 0.0.0.127 10.0.0.128 0.0.0.127
        access-list 100 permit ip any any

        route-map NO_NAT permit 10
        match ip address 100

        ip nat inside source route-map NO_NAT interface "your interface" overload


        You should also have your Proxy ID for the L2L Vpn(Crypto ACL)


        access-list 101 permit ip 10.0.0.0 0.0.0.127 10.0.0.128 0.0.0.127 (Will need a mirror acl on the other side of the tunnel)


        I assume you are using static nat or static pat for your servers. Lets assume one of your servers is is 10.0.0.240. This will deny nat translation from the web server when the destination is the remote tunnel network, and allow it for any other destination




        ip access-list extended NO_NAT_STATIC
        deny ip host 10.0.0.240 0.0.0.0.0 10.0.0.0 0.0.0.127
        permit ip host 10.0.0.240 any


        route-map NO_NAT_STATIC permit 10
        match ip address NO_NAT_STATIC

        ip nat inside source static 10.0.0.240 X.X.X.X route-map NO_NAT_STATIC (The X here meaning whatever public ip space your natting too)
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Help! disable NAT between two LANs (over IPSec)

          Also as a reminder dynamic nat/pat isn't bi-directional, meaning hosts on the outside can't access an address that has been dynamically natted/patted. You need either a static nat or static pat.
          Last edited by auglan; 24th April 2012, 20:44.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment

          Working...
          X