Michael
asked on
Source address Nat on cisco IOS
Hi,
Due to a limitation with Pfsense IPSEC vti's I need to nat the inbound public IP address of hosts connecting to 58.96.x.x on port 25 This is because i have a Policy route configured on the PFsense box to send all traffic originating from 10.121.34.1 through to 1.1.8.1 however this only works on traffic originated by the mail server. When it replies to requests pfsense forwards responses out of its internet facing interface. The only way i can think of is to Nat the source IP of the requests coming from the internet on the Melbourne Router so i can then put a static route on the pfsense router pointing to Melbourne for that Nat Pool
I've played around on the cisco router with various nat configurations however cannot get it to work. im embarrased to post them as im sure they are widely off.
Can anyone help based on the above diagram with the correct NAT entries. I'm proposing to create a NAT pool of 10.110.254.0/24
Due to a limitation with Pfsense IPSEC vti's I need to nat the inbound public IP address of hosts connecting to 58.96.x.x on port 25 This is because i have a Policy route configured on the PFsense box to send all traffic originating from 10.121.34.1 through to 1.1.8.1 however this only works on traffic originated by the mail server. When it replies to requests pfsense forwards responses out of its internet facing interface. The only way i can think of is to Nat the source IP of the requests coming from the internet on the Melbourne Router so i can then put a static route on the pfsense router pointing to Melbourne for that Nat Pool
I've played around on the cisco router with various nat configurations however cannot get it to work. im embarrased to post them as im sure they are widely off.
Can anyone help based on the above diagram with the correct NAT entries. I'm proposing to create a NAT pool of 10.110.254.0/24
This may not be a limitation. Have you seen this...?
Troubleshooting — Troubleshooting Asymmetric Routing | pfSense Documentation (netgate.com)
Troubleshooting — Troubleshooting Asymmetric Routing | pfSense Documentation (netgate.com)
ASKER
@Jan Bacher I dont have any Nat configured other than the default outbound automatic nat. I don't expect this traffic to be natted at the pfsense box, unless you have a solution that may fix the issue using nat. I have found that there is an issue with PFSENSE. see nbelow. I am interested if you think natting on pfsense will help me as below fix removes tunnel mode ipsec which i have some of on this box.
I got this repsonse on the netgate forum
If you are running only VTI based IPsec tunnels you may want to take a look at the patch provided in this Redmine Issue. It will disable the ability to run tunnel mode based VPNs but enables the reply-to ability on the VTI Interfaces. That is what you would need to make this setup work without source NAT on the Upstream Router. I haven't tested the patch myself yet and cannot tell your if it works as indented. Use it at your own risk.
I got this repsonse on the netgate forum
If you are running only VTI based IPsec tunnels you may want to take a look at the patch provided in this Redmine Issue. It will disable the ability to run tunnel mode based VPNs but enables the reply-to ability on the VTI Interfaces. That is what you would need to make this setup work without source NAT on the Upstream Router. I haven't tested the patch myself yet and cannot tell your if it works as indented. Use it at your own risk.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Can you post the nat portion of the config in the pfsense xml file?