Solved

ipsec vpn with nat overlap

Posted on 2014-09-08
8
589 Views
Last Modified: 2014-09-21
I have a situation where I need to NAT my end of a VPN tunnel because the folks on the other end of the tunnel already have a tunnel to a network with the same IP scheme as my local network.  So their local network is 172.16.254.0 and mine is 192.168.1.0.  They have set up their tunnel to use 192.168.101.0 as the remote network.  So I have been racking my brain how to do NAT translation for any thing to and from the tunnel.  By the way my router is a Cisco 1812 and the examples I found on the internet don't seem to apply to the IOS I have, which is c181x-advipservicesk9-mz.124-24.T5.  

I found one reference that says the command " ip nat source static <networkobject> <networkobject> destination static <networkobject>  "  Have setup the three network objects, one for remote network, one for local network and one for the local mapped network (192.168.101.0).  I do not get the opportunity to enter the "destination static" part.  

Hopefully someone has some tips as I have three more locations where this needs to be done.
0
Comment
Question by:davidgeeee
  • 5
  • 3
8 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40311413
For destination you need to create Policy based routing, so all interesting traffic goes to tunnel

http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html
0
 

Author Comment

by:davidgeeee
ID: 40311789
Thanks I will read up on the topic and report back...
0
 

Author Comment

by:davidgeeee
ID: 40311793
I am only a CCNA so might need some guidance
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 40311861
You setup tunnel  to use 192.168.101.0 as the remote network.
You need to create route-map for interesting traffic.

Let's assume that telnet traffic need to go through tunnel.

!create access-list for telnet traffic
!
access-list 100 permit tcp any any eq 23
!
!create route-map for policy based routing
!
route-map TRAFFIC_FOR_TUNNEL permit 10  <-- case sensitive
match ip address 100        <-- what is in access-list 100 need to go to
set ip next-hop 192.168.101.X <-- ip address of tunnel far end
route-map TRAFFIC_FOR_TUNNEL permit 20 <-- if there are no match statement -- any other IP address and no set command  -- route as usual
!
!under interface for INCOMING traffic
!
interface fa0/0
ip policy route-map TRAFFIC_FOR_TUNNEL


so now when you telnet to any location you are redirected through tunnel :)
also you should add tunnel network to routing protocol
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:davidgeeee
ID: 40312083
So, let me try,

access-list 123 permit ip any 172.16.254.0 0.0.0.255
!should the above be referencing the network on the far end of the tunnel
!
!
route-map TRAFFIC_FOR_TUNNEL permit 10
Match ip address 123
set up next-hop 172.16.254.1

Okay still confused.  The router on the other end of the tunnel has a VPN tunnel set to 172.16.254.0 as local and 192.168.101.0 as remote.  On my end I have a tunnel from 192.168.1.0 local to 172.16.254.0 remote.  Will this route-map work?  Do I need to change my tunnel networks?

Many computers on my end need to access a few IPs on the 172.16.254.0 network.  So, I thought I would have to NAT 192.168.1.0 to 192.168.101.0 to make this work...
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40312229
Your tunnel interfaces should have their own IP addresses.

Your side:
R1(config)# interface Tunnel1
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config-if)# tunnel source 192.168.1.1
R1(config-if)# tunnel destination 172.16.254.1

Their side:
R1(config)# interface Tunnel1
R1(config-if)# ip address 172.16.1.2 255.255.255.0
R1(config-if)# tunnel source 172.16.254.1
R1(config-if)# tunnel destination 192.168.1.1

route-map TRAFFIC_FOR_TUNNEL permit 10
Match ip address 123
set ip next-hop 172.16.1.2

you can even set ip route to other side of tunnel without route-map :) with static route (simplest solution)

ip route 172.16.254.1 0.0.0.255 172.16.1.2

and other side in that case should point static route in your direction on their routers

simple solution without route-maps, and you don't need routing protocol
(if there is no overlapping between your and their network)
in this case you don't need NAT at all

I have worked yesterday whole day on some route-maps...
So when I have hammer everything looks like nail. Same old story.
:(
0
 

Author Comment

by:davidgeeee
ID: 40312366
I can only control settings on my router, the network people on the other end of the tunnel have "hundreds" of tunnels like this and are unwilling to change their system.

Last week I set up an ASA 5505 to work with their tunnel at another location.  Here is the config parts that worked:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0
!
access-list outside_cryptomap extended permit ip 10.0.5.0 255.255.255.0 172.16.254.0 255.255.255.0
!
access-list SMRS extended permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
!
static (inside,outside) 10.0.5.0  access-list SMRS
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

!
In this case my network was 10.0.0.0 and they force me to NAT to 10.0.5.0.  Unfortunately these command are not available on the 1812 router.  

I like the hammer analogy, Predrag!!  And thank you for helping!
0
 

Author Comment

by:davidgeeee
ID: 40335469
Took a long time for me to figure it out but these are the commands need to create the Route-Map that
Predrag Jovic Suggested.

ip access-list ext 150
permit ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255


 
ip nat pool NAT-POOL 192.168.101.0 192.168.101.255 netmask 255.255.255.0 type match-host


route-map static-vpn
match ip address  150


ip nat inside source route-map static-vpn pool NAT-POOL reversible
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Let’s list some of the technologies that enable smooth teleworking. 
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now