NAT problem - Site to site VPN - Cisco Router
I have a remote site for which I have configured a Cisco router with internet access and an L2L IPSec VPN.
The remote site are running a subnet that is also present on the main site (although the remote site do not to access the same subnet at the main site). To allow the main site to route to the remote site, I have therefore configured a source NAT from the remote site to a second private range when destined for the main site. All other outbound traffic should be translated using the overload.
Remote site users can currently access the internet and NAT to the overload IP correctly. However, when a user contacts the main site across the VPN (which they can), all subsequent address translations from that user then get made to the private range only (even for internet) This immediately cuts off outbound internet access (as users source IP is from the private translated range instead of the overload)
You can see this occurring in the output from show ip nat translations...
Internet access (NAT) working correctly...
RTR-01#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 82.x.x.x:1 192.168.1.99:1 8.8.8.8:1 8.8.8.8:1
Internet access (NAT) not working...
RTR-01#sho ip nat translations | inc 192.168.1.99
icmp 192.168.54.66:1 192.168.1.99:1 8.8.8.8:1 8.8.8.8:1
icmp 192.168.54.66:1 192.168.1.99:1 10.4.0.55:1 10.4.0.55:1
This is the config relevant to the issue...
interface Vlan1
ip address 192.168.1.9 255.255.255.0
ip nat inside
interface Dialer1
ip address negotiated
ip nat outside
ip nat pool vpn-dynamic-nat 192.168.54.65 192.168.54.126 prefix-length 24
ip nat inside source list 102 pool vpn-dynamic-nat
ip nat inside source list 110 interface Dialer1 overload
access-list 102 remark ** VPN Dynamic Source NAT **
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 102 deny ip any any
access-list 110 remark ** NAT ACL **
access-list 110 deny ip 192.168.1.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip any any
Can anyone see what is causing this issue?
Is it as simple as the VPN NAT statement coming before the Overload NAT statement? I assumed the ACLs would determine which NAT statement to be used.
The remote site are running a subnet that is also present on the main site (although the remote site do not to access the same subnet at the main site). To allow the main site to route to the remote site, I have therefore configured a source NAT from the remote site to a second private range when destined for the main site. All other outbound traffic should be translated using the overload.
Remote site users can currently access the internet and NAT to the overload IP correctly. However, when a user contacts the main site across the VPN (which they can), all subsequent address translations from that user then get made to the private range only (even for internet) This immediately cuts off outbound internet access (as users source IP is from the private translated range instead of the overload)
You can see this occurring in the output from show ip nat translations...
Internet access (NAT) working correctly...
RTR-01#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 82.x.x.x:1 192.168.1.99:1 8.8.8.8:1 8.8.8.8:1
Internet access (NAT) not working...
RTR-01#sho ip nat translations | inc 192.168.1.99
icmp 192.168.54.66:1 192.168.1.99:1 8.8.8.8:1 8.8.8.8:1
icmp 192.168.54.66:1 192.168.1.99:1 10.4.0.55:1 10.4.0.55:1
This is the config relevant to the issue...
interface Vlan1
ip address 192.168.1.9 255.255.255.0
ip nat inside
interface Dialer1
ip address negotiated
ip nat outside
ip nat pool vpn-dynamic-nat 192.168.54.65 192.168.54.126 prefix-length 24
ip nat inside source list 102 pool vpn-dynamic-nat
ip nat inside source list 110 interface Dialer1 overload
access-list 102 remark ** VPN Dynamic Source NAT **
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 102 deny ip any any
access-list 110 remark ** NAT ACL **
access-list 110 deny ip 192.168.1.0 0.0.0.255 10.4.0.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip any any
Can anyone see what is causing this issue?
Is it as simple as the VPN NAT statement coming before the Overload NAT statement? I assumed the ACLs would determine which NAT statement to be used.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Bump
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Amazing. The explanation makes complete sense. I'll get this changed and update you once it's done.
Many thanks for your help SIM50!
Many thanks for your help SIM50!
Answer provided.
ASKER
Thanks for your response. Before I implement this change; which will need to scheduled, can you explain in technical terms, the logical reason the current config is not achieving my requirement and also how/why your suggestion will resolve this? If you can include some reference material that would be great.
Many thanks in advance.
Chris