Cisco 887 nat exemption for IPSEC vpn

We have a Cisco 887 at a Satellite office which has an IPSEC VPN back to head office which is a Juniper SRX. We need connectivity from the satellite office to the head office for an internal SIP trunk.

The satellite PBX is routed outbound via a different internet connection to the rest of the internet traffic at the Satellite office, it also has static nat for some SIP sessions.

The two default gateways are for example.. Data: 10.10.10.1 Voice: 20.20.20.1

ip nat inside source static 172.31.100.250 interface Vlan11 (Interface Vlan11 is in the 20.20.20.1 range)

When I change this following a guide online to exempt the traffic from NAT for the VPN, it allows the VPN to work but breaks the upstream provider SIP trunk.
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html

Once I change this I can see in the nat translations table that the internal address changes and the SIP trunks stop working. Is there a way to keep internal address as the 20.20.20.1 network?

Pre Changes
udp 20.20.20.1:5060 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060

Post Changes
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
YorkDataAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
As example states on link you gave:
ip nat inside source list 122 interface Fa Y (Fa Y is your out interface where VOICE traffic need to be forwarded - VPN tunnel interface)
    access-list 122 deny ip 20.20.20.0 0.0.0.255 any
    access-list 122 permit ip any any

This will prevent any IP NAT translation of all hosts in VOICE network, all other traffic will be natted.
So if you need some other traffic through VPN just add those hosts (or networks) with deny statement and that's it.
YorkDataAuthor Commented:
Yes it does enable the traffic to be routed over the VPN but when I look at the nat translations it does the below and causes the SIP trunks to be unable to connect.

Pre Changes
udp 20.20.20.1:5060 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060

Post Changes
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
JustInCaseCommented:
I am not sure about your nat statements.
:)
Why would DATA VLAN range would be there at all?
That would mean that you have nat statement like this one
ip nat inside source static 172.31.100.250 10.10.10.1
or. if you use interface - you use wrong inerface (data VLAN interface)

Pro    Inside global       Inside local        Outside local      Outside global
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
This means that packet from 172.31.100.250 is sent through outside interface with ip address 10.10.10.1

You can create this statement
ip nat inside source udp 172.31.100.250 5060 20.20.20.1 5060
I guess that would to the trick.

If not, could you paste relevant parts of config?
That would mean all ip  nat statements, including those on VLAN interfaces, including ip addresses of involved interfaces.
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

YorkDataAuthor Commented:
When I tried to add the statement i got an error when I got the the source, it wanted me to put static first. If I put static in the rule I got the below.

CISCO887VA-K9(config)# ip nat inside source static udp 172.31.100.250 5060 20.20.20.1 5060
% similar static entry (172.31.100.250 -> 95.138.207.154) already exists

Everything is in the Data network, there is a Data WAN and a VoIP WAN. Here are the nat rules on the router. Vlan10 is the WAN subnet of 10.10.10.1

ip nat inside source static tcp 172.31.100.100 443 interface Vlan10 443
ip nat inside source static tcp 172.31.100.100 25 interface Vlan10 25
ip nat inside source route-map map_nat_wan interface Vlan10 overload
ip nat inside source static 172.31.100.250 20.20.20.1 route-map no-nat

route-map no-nat permit 10
 match ip address 150

access-list 150 deny   ip host 172.31.100.250 192.168.1.0 0.0.0.255
access-list 150 permit ip host 172.31.100.250 any
YorkDataAuthor Commented:
Heres a simple diagram attached if it helps
SimpleDiagram.png
JustInCaseCommented:
CISCO887VA-K9(config)# ip nat inside source static udp 172.31.100.250 5060 20.20.20.1 5060
% similar static entry (172.31.100.250 -> 95.138.207.154) already exists
I guess that upper nat statement is contained in
ip nat inside source route-map map_nat_wan interface Vlan10 overload
so what is route-map map_nat_wan

What is your route to 192.168.1.0/24 (I guess that is remote VOIP network)
#sh ip route 192.168.1.0
YorkDataAuthor Commented:
Yes that is the remote network over the VPN. There isn't anything in the routing table for 192.168.1.0 as it is a policy based VPN (I'm primarily a Juniper brain)

CISCO887VA-K9#show ip route 192.168.1.0
% Network not in table

Remote VPN network gateway is 192.168.1.2/24

Route-map and associated access-list below

route-map map_nat_wan permit 10
 match ip address acl_nat

ip access-list extended acl_nat
 deny   ip 172.31.100.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 172.31.200.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 deny   ip 172.31.100.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny   ip 172.31.100.0 0.0.0.255 192.168.103.0 0.0.0.255
 deny   ip 172.31.200.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 172.31.200.0 0.0.0.255 192.168.103.0 0.0.0.255
 permit ip 172.31.100.0 0.0.0.255 any
 permit ip 172.31.200.0 0.0.0.255 any
JustInCaseCommented:
If there in no matching route (or PBR taking place) traffic will be forwarded by default route and I guess that next hop is in that case 10.10.10.2  (and you don't want that).
Check your PBR.
YorkDataAuthor Commented:
I have the PBR setup and working, all devices connect over the VPN as the settings are, if I remove the static nat rule, the device on 172.31.100.250 can connect over the VPN. as soon as I add the static nat the device can no longer connect over the VPN. It appears that static nat takes place before PBR therefore I am trying to exclude the IP from being nat'd when it is destined for the VPN. As soon as I add the route-map to stop the NAT it breaks the SIP trunks because the internal Global IP address changes to the Data WAN IP rather than the Voice WAN IP.. If that makes sense?

PBR
ip access-list extended YDS-VOICE-VPN
 permit ip 172.31.100.0 0.0.0.255 192.168.1.0 0.0.0.255

Appreciate the help so far.
JustInCaseCommented:
That is just one part of PBR

PBR have 3 parts

1. Route-map
route-map VOIP permit 10
 match ip address YDS-VOICE-VPN
 set ip next-hop 20.20.20.2

2. ACL to mark interesting traffic
ip access-list extended YDS-VOICE-VPN
 permit ip 172.31.100.0 0.0.0.255 192.168.1.0 0.0.0.255

3. Interface to apply route-map (interface where your traffic enters router)
interface gi0/1
 ip policy route-map VOIP

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YorkDataAuthor Commented:
Yes I have all three sections, I was just showing teh acl is there. The only problem we have is that when I no-nat the IP for the VPN traffic, the static nat'd pbx starts using the data WAN ip rather than the voice WAN for its source address therefore the SIP trunks won't come up because the source address is different to the inbound address.

Is there a way to force a certain internal IP to use a certain global IP for outbound connections?

Its a weird setup, there is only one internet connection but the ISP has setup two different global subnets one for data and one for voice which is presented to the Cisco on different VLAN's.
JustInCaseCommented:
Is there a way to force a certain internal IP to use a certain global IP for outbound connections?
That is what PBR is there for, other similar case case is, of course, to set static route for some destination. It will not forward some specific range of IP addresses, but to some specific range of IP addresses.
ip route 192.168.1.0 0.0.0.255 20.20.20.2
If PBR is working as it should this will have no influence on forwarding traffic for VOIP.

Are you maybe using MPLS, since on drawing you have VLAN 10 and 20 on ISP router?
YorkDataAuthor Commented:
It appears there was a bug in the software version, this router was swapped out with a more recent firmware and this resolved the issue. The above route-map is correct
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.