Simultaneous NAT overload (internet) and NAT overlapping for IPsec

Discussion in 'Cisco' started by jayteezer, May 20, 2010.

  1. jayteezer

    jayteezer Guest

    Hi all,

    Have been bashing my head against this for the last couple of days and
    was wondering if anyone might be able to take a look at the config and
    point where I might be approaching this wrong...

    My current lab is configured as:

    Two sites (SITE1/SITE2) connected via a third third router (ISP) -
    There is a pure IPsec tunnel between SITE1 and SITE2. Both SITE1 and
    SITE2 have overlapping IP addresses (SITE1 uses 10.1.1.0/24 and SITE2
    uses 10.0.0.0/16 and 192.168.80.0/24 - however, we're only presented
    with access to 10.81.0.0/18 via the IPsec VPN)

    Okay... Overlapping NAT's - I need to remap what each end see's as its
    destination - SITE2 sees SITE1 as 192.168.40.0/24 (rather than
    10.1.1.0/24) and SITE1 see's SITE2 without translation (as we'll never
    be talking to their 10.0.0.0/16 anyway, only 10.81.0.0/18 which
    doesn't match our internal 10.1.1.0/24 subnet)

    SITE1 also has an internet connection via ISP1 which is used to
    simultate access to the internet via a NAT overload statement
    (multiple machines in SITE1 need to access the internet via a single
    internet IP.

    SITE1's internal IP is 10.1.1.1/24
    SITE1's external IP is 203.1.1.2/24

    ISP1's link to SITE1 is on 203.1.1.1/24
    ISP1's link to SITE2 is on 203.2.2.1/24

    SITE2's internal IP's are 10.81.0.1/18 and 192.168.80.1/24.
    SITE2's external IP is 203.2.2.2/24

    IPsec traffic between workstations located within SITE1 to
    workstations within SITE2 is fine (on either 192.168.80.0/24 or
    10.81.0.0/18 subnets) however, I'm unable to access the internet via
    the NAT overload from SITE1.

    Your assistance is muchly appreciated - I'm sure it can be done and
    I'm positive I'm well on the way to making it happen, but for the life
    of me, I just can't make that last 'step' to actually having it work.

    Results of "debug ip nat detailed" on SITE1 when attempting to ping
    from SITE1PC (10.1.1.10)

    Code:

    SITE1#
    *Mar 1 02:12:05.459: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6)
    [30]
    *Mar 1 02:12:05.463: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6)
    [30]
    *Mar 1 02:12:05.467: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10
    [30]
    *Mar 1 02:12:05.603: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10,
    6) [30]
    *Mar 1 02:12:05.607: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10
    [30]
    *Mar 1 02:12:05.663: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6)
    [31]
    *Mar 1 02:12:05.663: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10
    [31]
    *Mar 1 02:12:05.675: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10,
    6) [31]
    *Mar 1 02:12:05.679: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10
    [31]
    *Mar 1 02:12:05.691: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6)
    [32]
    *Mar 1 02:12:05.691: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10
    [32]
    *Mar 1 02:12:05.707: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10,
    6) [32]
    *Mar 1 02:12:05.711: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10
    [32]
    *Mar 1 02:12:05.723: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6)
    [33]
    *Mar 1 02:12:05.723: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10
    [33]
    *Mar 1 02:12:05.731: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10,
    6) [33]
    *Mar 1 02:12:05.735: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10
    [33]
    *Mar 1 02:12:05.751: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6)
    [34]
    *Mar 1 02:12:05.751: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10
    [34]
    *Mar 1 02:12:05.791: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10,
    6) [34]
    *Mar 1 02:12:05.795: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10
    [34]

    As we can see, 10.1.1.10 is being translated to 192.168.40.10 and then
    passed via IPsec to 10.81.0.10 (SITE2PC) and the same occurs coming
    back.

    However, when attempting to ping 'an internet site' (eg, SITE2's
    interface on ISP1) its "also" translating the addresses across to
    192.168.40.10...

    Code:

    *Mar 1 02:12:19.095: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7)
    [35]
    *Mar 1 02:12:19.099: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7)
    [35]
    *Mar 1 02:12:19.099: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1
    [35]
    *Mar 1 02:12:21.091: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7)
    [36]
    *Mar 1 02:12:21.091: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1
    [36]
    *Mar 1 02:12:23.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7)
    [37]
    *Mar 1 02:12:23.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1
    [37]
    *Mar 1 02:12:25.055: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7)
    [38]
    *Mar 1 02:12:25.055: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1
    [38]
    *Mar 1 02:12:27.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7)
    [39]
    *Mar 1 02:12:27.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1
    [39]

    I'm guessing this is definitely the issue - eg, it appears to be
    attempting to translate ALL traffic from 10.1.1.x to 192.168.40.x
    (where x be 10 for this test) although it should ONLY be translating
    10.1.1.x to 192.168.40.x for traffic destined to 192.168.80.0/24 or
    10.81.0.0/18....

    Needless to say, updating the INTERNAL-OVERLOAD-TO-INTERNET ACL to
    allow for 192.168.40.0 doesn't work (and I dont believe it should
    double NAT (NAT to 192.168.40.10 and then NAT overload as 203.1.1.2)

    Something to do with the route maps maybe?

    Anyone know the differences between using "ip policy route-map" on the
    internal interface versus "ip nat inside source route-map...." at NAT
    level?

    Obviously, pinging the external interface of SITE1 from SITE1PC (eg,
    203.1.1.2 from 10.1.1.10) works fine - however, I can't ping the ISP
    side of the ISP-SITE1 link (203.1.1.1)


    --[SITE1 ROUTER CONFIG]--

    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SITE1
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    !
    no aaa new-model
    memory-size iomem 5
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key cisco123 address 203.2.2.2
    !
    !
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    mode transport
    !
    crypto map mymap 10 ipsec-isakmp
    set peer 203.2.2.2
    set transform-set myset
    match address MYMAP-PERMIT-SITE2-COMM2
    !
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.255
    !
    interface FastEthernet0/0
    description External Interface - SITE1
    ip address 203.1.1.2 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    speed 100
    full-duplex
    crypto map mymap
    !
    interface FastEthernet0/1
    description Internal Interface - SITE1
    ip address 10.1.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip policy route-map RMAP1
    speed 100
    full-duplex
    !
    ip route 0.0.0.0 0.0.0.0 203.1.1.1
    !
    !
    ip http server
    no ip http secure-server
    ip nat pool NATPOOL-FOR-SITE2COMM 192.168.40.1 192.168.40.254 prefix-
    length 24 type match-host
    ip nat pool NATPOOL-FOR-INTERNET 203.1.1.2 203.1.1.2 prefix-length 30
    ip nat inside source list INTERNAL-NAT-FOR-SITE2COMM pool NATPOOL-FOR-
    SITE2COMM
    ip nat inside source list INTERNAL-OVERLOAD-TO-INTERNET pool NATPOOL-
    FOR-INTERNET overload
    !
    ip access-list extended INTERNAL-NAT-FOR-SITE2COMM
    permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
    permit ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255
    deny ip any any log
    ip access-list extended INTERNAL-OVERLOAD-TO-INTERNET
    deny ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
    deny ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255
    permit ip 10.1.1.0 0.0.0.255 any log
    ip access-list extended MYMAP-PERMIT-SITE2-COMM2
    permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
    permit ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255
    deny ip any any log
    ip access-list extended RMAP1-PERMIT-SITE2-COMM
    permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
    permit ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255
    deny ip any any
    !
    access-list 1 permit any
    !
    !
    route-map RMAP1 permit 10
    match ip address RMAP1-PERMIT-SITE2-COMM
    set ip next-hop 1.1.1.2
    !
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    !
    end
     
    jayteezer, May 20, 2010
    #1
    1. Advertising

  2. jayteezer

    bod43 Guest

    Re: Simultaneous NAT overload (internet) and NAT overlapping forIPsec

    On 20 May, 14:50, jayteezer <> wrote:
    > Hi all,
    >
    > Have been bashing my head against this for the last couple of days and
    > was wondering if anyone might be able to take a look at the config and
    > point where I might be approaching this wrong...


    Your route map has a typo.

    route-map RMAP1 permit 10
    match ip address RMAP1-PERMIT-SITE2-COMM
    set ip next-hop 1.1.1.2 <-------

    1.1.1.1 would be better as far as I can see.

    But you are not actually using it since the job is being done
    by the NAT route maps anyway. See below.


    A couple of other things I noticed first in any case.

    The use of the loopback as a NAT avoider trick is no longer
    necessary (for any purposes I am aware of anyway) and
    getting rid of it simplifies the config. You
    just deny the relevant addreses in the NAT ACL/Route map.

    It is very unusual to use a NAT pool for internet overload?

    ip nat inside source route-map RM.nat interface Dialer0 overload

    Is enough. Again slightly simplifies the config.

    ####

    I cannot see anything wrong. Get rid of the loopback
    and its route map and the PBR.
    It's not doing anythng anyway due to the typo.

    I would replace the overload nat statement with something like

    ip nat inside source list INTERNAL-OVERLOAD-TO-INTERNET
    203.1.1.1 overload

    yours should be OK I guess but I have never been there:)

    Maybe be some horrendous bug. what is you exact ver.
    Please post the output of sh ver.
     
    bod43, May 23, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oleg Tipisov
    Replies:
    0
    Views:
    821
    Oleg Tipisov
    Aug 10, 2004
  2. Ronald de Leeuw
    Replies:
    2
    Views:
    14,265
  3. Replies:
    1
    Views:
    701
  4. skweetis
    Replies:
    0
    Views:
    1,195
    skweetis
    Dec 11, 2006
  5. Giuen
    Replies:
    0
    Views:
    1,005
    Giuen
    Sep 12, 2008
Loading...

Share This Page