YorkData
asked on
Cisco 887 nat exemption for IPSEC vpn
We have a Cisco 887 at a Satellite office which has an IPSEC VPN back to head office which is a Juniper SRX. We need connectivity from the satellite office to the head office for an internal SIP trunk.
The satellite PBX is routed outbound via a different internet connection to the rest of the internet traffic at the Satellite office, it also has static nat for some SIP sessions.
The two default gateways are for example.. Data: 10.10.10.1 Voice: 20.20.20.1
ip nat inside source static 172.31.100.250 interface Vlan11 (Interface Vlan11 is in the 20.20.20.1 range)
When I change this following a guide online to exempt the traffic from NAT for the VPN, it allows the VPN to work but breaks the upstream provider SIP trunk.
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html
Once I change this I can see in the nat translations table that the internal address changes and the SIP trunks stop working. Is there a way to keep internal address as the 20.20.20.1 network?
Pre Changes
udp 20.20.20.1:5060 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
Post Changes
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
The satellite PBX is routed outbound via a different internet connection to the rest of the internet traffic at the Satellite office, it also has static nat for some SIP sessions.
The two default gateways are for example.. Data: 10.10.10.1 Voice: 20.20.20.1
ip nat inside source static 172.31.100.250 interface Vlan11 (Interface Vlan11 is in the 20.20.20.1 range)
When I change this following a guide online to exempt the traffic from NAT for the VPN, it allows the VPN to work but breaks the upstream provider SIP trunk.
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html
Once I change this I can see in the nat translations table that the internal address changes and the SIP trunks stop working. Is there a way to keep internal address as the 20.20.20.1 network?
Pre Changes
udp 20.20.20.1:5060 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
Post Changes
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
ASKER
Yes it does enable the traffic to be routed over the VPN but when I look at the nat translations it does the below and causes the SIP trunks to be unable to connect.
Pre Changes
udp 20.20.20.1:5060 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
Post Changes
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
Pre Changes
udp 20.20.20.1:5060 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
Post Changes
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
I am not sure about your nat statements.
:)
Why would DATA VLAN range would be there at all?
That would mean that you have nat statement like this one
ip nat inside source static 172.31.100.250 10.10.10.1
or. if you use interface - you use wrong inerface (data VLAN interface)
Pro Inside global Inside local Outside local Outside global
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
This means that packet from 172.31.100.250 is sent through outside interface with ip address 10.10.10.1
You can create this statement
ip nat inside source udp 172.31.100.250 5060 20.20.20.1 5060
I guess that would to the trick.
If not, could you paste relevant parts of config?
That would mean all ip nat statements, including those on VLAN interfaces, including ip addresses of involved interfaces.
:)
Why would DATA VLAN range would be there at all?
That would mean that you have nat statement like this one
ip nat inside source static 172.31.100.250 10.10.10.1
or. if you use interface - you use wrong inerface (data VLAN interface)
Pro Inside global Inside local Outside local Outside global
udp 10.10.10.1:1026 172.31.100.250:5060 20.20.20.1:5060 20.20.20.1:5060
This means that packet from 172.31.100.250 is sent through outside interface with ip address 10.10.10.1
You can create this statement
ip nat inside source udp 172.31.100.250 5060 20.20.20.1 5060
I guess that would to the trick.
If not, could you paste relevant parts of config?
That would mean all ip nat statements, including those on VLAN interfaces, including ip addresses of involved interfaces.
ASKER
When I tried to add the statement i got an error when I got the the source, it wanted me to put static first. If I put static in the rule I got the below.
CISCO887VA-K9(config)# ip nat inside source static udp 172.31.100.250 5060 20.20.20.1 5060
% similar static entry (172.31.100.250 -> 95.138.207.154) already exists
Everything is in the Data network, there is a Data WAN and a VoIP WAN. Here are the nat rules on the router. Vlan10 is the WAN subnet of 10.10.10.1
ip nat inside source static tcp 172.31.100.100 443 interface Vlan10 443
ip nat inside source static tcp 172.31.100.100 25 interface Vlan10 25
ip nat inside source route-map map_nat_wan interface Vlan10 overload
ip nat inside source static 172.31.100.250 20.20.20.1 route-map no-nat
route-map no-nat permit 10
match ip address 150
access-list 150 deny ip host 172.31.100.250 192.168.1.0 0.0.0.255
access-list 150 permit ip host 172.31.100.250 any
CISCO887VA-K9(config)# ip nat inside source static udp 172.31.100.250 5060 20.20.20.1 5060
% similar static entry (172.31.100.250 -> 95.138.207.154) already exists
Everything is in the Data network, there is a Data WAN and a VoIP WAN. Here are the nat rules on the router. Vlan10 is the WAN subnet of 10.10.10.1
ip nat inside source static tcp 172.31.100.100 443 interface Vlan10 443
ip nat inside source static tcp 172.31.100.100 25 interface Vlan10 25
ip nat inside source route-map map_nat_wan interface Vlan10 overload
ip nat inside source static 172.31.100.250 20.20.20.1 route-map no-nat
route-map no-nat permit 10
match ip address 150
access-list 150 deny ip host 172.31.100.250 192.168.1.0 0.0.0.255
access-list 150 permit ip host 172.31.100.250 any
ASKER
Heres a simple diagram attached if it helps
SimpleDiagram.png
SimpleDiagram.png
CISCO887VA-K9(config)# ip nat inside source static udp 172.31.100.250 5060 20.20.20.1 5060I guess that upper nat statement is contained in
% similar static entry (172.31.100.250 -> 95.138.207.154) already exists
ip nat inside source route-map map_nat_wan interface Vlan10 overload
so what is route-map map_nat_wan
What is your route to 192.168.1.0/24 (I guess that is remote VOIP network)
#sh ip route 192.168.1.0
ASKER
Yes that is the remote network over the VPN. There isn't anything in the routing table for 192.168.1.0 as it is a policy based VPN (I'm primarily a Juniper brain)
CISCO887VA-K9#show ip route 192.168.1.0
% Network not in table
Remote VPN network gateway is 192.168.1.2/24
Route-map and associated access-list below
route-map map_nat_wan permit 10
match ip address acl_nat
ip access-list extended acl_nat
deny ip 172.31.100.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 172.31.200.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip 172.31.100.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 172.31.100.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 172.31.200.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 172.31.200.0 0.0.0.255 192.168.103.0 0.0.0.255
permit ip 172.31.100.0 0.0.0.255 any
permit ip 172.31.200.0 0.0.0.255 any
CISCO887VA-K9#show ip route 192.168.1.0
% Network not in table
Remote VPN network gateway is 192.168.1.2/24
Route-map and associated access-list below
route-map map_nat_wan permit 10
match ip address acl_nat
ip access-list extended acl_nat
deny ip 172.31.100.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 172.31.200.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip 172.31.100.0 0.0.0.255 192.168.20.0 0.0.0.255
deny ip 172.31.100.0 0.0.0.255 192.168.103.0 0.0.0.255
deny ip 172.31.200.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 172.31.200.0 0.0.0.255 192.168.103.0 0.0.0.255
permit ip 172.31.100.0 0.0.0.255 any
permit ip 172.31.200.0 0.0.0.255 any
If there in no matching route (or PBR taking place) traffic will be forwarded by default route and I guess that next hop is in that case 10.10.10.2 (and you don't want that).
Check your PBR.
Check your PBR.
ASKER
I have the PBR setup and working, all devices connect over the VPN as the settings are, if I remove the static nat rule, the device on 172.31.100.250 can connect over the VPN. as soon as I add the static nat the device can no longer connect over the VPN. It appears that static nat takes place before PBR therefore I am trying to exclude the IP from being nat'd when it is destined for the VPN. As soon as I add the route-map to stop the NAT it breaks the SIP trunks because the internal Global IP address changes to the Data WAN IP rather than the Voice WAN IP.. If that makes sense?
PBR
ip access-list extended YDS-VOICE-VPN
permit ip 172.31.100.0 0.0.0.255 192.168.1.0 0.0.0.255
Appreciate the help so far.
PBR
ip access-list extended YDS-VOICE-VPN
permit ip 172.31.100.0 0.0.0.255 192.168.1.0 0.0.0.255
Appreciate the help so far.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes I have all three sections, I was just showing teh acl is there. The only problem we have is that when I no-nat the IP for the VPN traffic, the static nat'd pbx starts using the data WAN ip rather than the voice WAN for its source address therefore the SIP trunks won't come up because the source address is different to the inbound address.
Is there a way to force a certain internal IP to use a certain global IP for outbound connections?
Its a weird setup, there is only one internet connection but the ISP has setup two different global subnets one for data and one for voice which is presented to the Cisco on different VLAN's.
Is there a way to force a certain internal IP to use a certain global IP for outbound connections?
Its a weird setup, there is only one internet connection but the ISP has setup two different global subnets one for data and one for voice which is presented to the Cisco on different VLAN's.
Is there a way to force a certain internal IP to use a certain global IP for outbound connections?That is what PBR is there for, other similar case case is, of course, to set static route for some destination. It will not forward some specific range of IP addresses, but to some specific range of IP addresses.
ip route 192.168.1.0 0.0.0.255 20.20.20.2
If PBR is working as it should this will have no influence on forwarding traffic for VOIP.
Are you maybe using MPLS, since on drawing you have VLAN 10 and 20 on ISP router?
ASKER
It appears there was a bug in the software version, this router was swapped out with a more recent firmware and this resolved the issue. The above route-map is correct
ip nat inside source list 122 interface Fa Y (Fa Y is your out interface where VOICE traffic need to be forwarded - VPN tunnel interface)
access-list 122 deny ip 20.20.20.0 0.0.0.255 any
access-list 122 permit ip any any
This will prevent any IP NAT translation of all hosts in VOICE network, all other traffic will be natted.
So if you need some other traffic through VPN just add those hosts (or networks) with deny statement and that's it.