VPN & Nat woes

Discussion in 'Cisco' started by Mikhael47, Sep 2, 2004.

  1. Mikhael47

    Mikhael47 Guest

    I have a head office with a 2621 router. It's got crypto setup on it so
    that our branch office with a 1710 can connect into it.

    Our branch office is connected via an ISP to the net. They provided a block
    of static IP's to use.

    I use nat at the branch office. I use a route-map to get around the Nat
    when they connect to our VPN.

    This becomes a problem when the users try and make connections out to client
    IPSec vpns. They can't make the connection unless I make a static nat
    translation for them. When I make the translation, the static nat takes
    precedence over the route-map to get to our VPN and they can no longer
    connect.

    Here are the relevant parts of my branch office config:

    ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
    255.255.255.248
    ip nat inside source route-map nonat interface Ethernet0 overload

    If I replace the nat source with the pool, the users can't get to the client
    VPN's. If I leave it as is, and put static nats in for each machine, they
    can't get to our VPN.

    Has anyone ever encountered this situation before?

    Mike
    Mikhael47, Sep 2, 2004
    #1
    1. Advertising

  2. Mikhael47

    PES Guest

    "Mikhael47" <> wrote in message
    news:f4KZc.23197$...
    >I have a head office with a 2621 router. It's got crypto setup on it so
    > that our branch office with a 1710 can connect into it.
    >
    > Our branch office is connected via an ISP to the net. They provided a
    > block
    > of static IP's to use.
    >
    > I use nat at the branch office. I use a route-map to get around the Nat
    > when they connect to our VPN.
    >
    > This becomes a problem when the users try and make connections out to
    > client
    > IPSec vpns. They can't make the connection unless I make a static nat
    > translation for them. When I make the translation, the static nat takes
    > precedence over the route-map to get to our VPN and they can no longer
    > connect.
    >
    > Here are the relevant parts of my branch office config:
    >
    > ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
    > 255.255.255.248
    > ip nat inside source route-map nonat interface Ethernet0 overload
    >
    > If I replace the nat source with the pool, the users can't get to the
    > client
    > VPN's. If I leave it as is, and put static nats in for each machine, they
    > can't get to our VPN.
    >
    > Has anyone ever encountered this situation before?
    >
    > Mike
    >


    Two issues here. First it would be nice if the configuration for the vpn
    clients were so that a static was not required. I think later rev's of IOS
    support this transparently through nat.

    Second, a static will always take presedence over the dynamically created
    nat entries. Here is how to fix it.


    To fix this, you have to trick the router into handing the packet to an
    interface that does not have an ip nat (inside or outside) statement. This
    is described in the following url: http://tinyurl.com/3fzlu

    Basically, you do the following.

    Create a loopback interface without the ip nat statement

    interface loopback 0
    ip address 1.1.1.1 255.255.255.0

    Create an access list to match the traffic that is being inadvertantly
    nat'ed

    access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255

    the host (x.x.x.x) is private ip of the statically natted pair
    because nat has not happened yet. y.y.y is your network and
    I assumed class c.

    Create a route-map to match the traffic and set the next hop out the loop
    int.

    route-map lanint permit 10
    match ip address 199
    set ip next-hop 1.1.1.2
    PES, Sep 3, 2004
    #2
    1. Advertising

  3. Mikhael47

    Mikhael47 Guest

    I see, setup the policy route map on the internal interface. I hope this
    will work on 12.2(7b)

    This makes a lot of sense.. It will solve another problem for me too.

    Mike

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:41383a8c$...
    >
    > "Mikhael47" <> wrote in message
    > news:f4KZc.23197$...
    > >I have a head office with a 2621 router. It's got crypto setup on it so
    > > that our branch office with a 1710 can connect into it.
    > >
    > > Our branch office is connected via an ISP to the net. They provided a
    > > block
    > > of static IP's to use.
    > >
    > > I use nat at the branch office. I use a route-map to get around the Nat
    > > when they connect to our VPN.
    > >
    > > This becomes a problem when the users try and make connections out to
    > > client
    > > IPSec vpns. They can't make the connection unless I make a static nat
    > > translation for them. When I make the translation, the static nat takes
    > > precedence over the route-map to get to our VPN and they can no longer
    > > connect.
    > >
    > > Here are the relevant parts of my branch office config:
    > >
    > > ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
    > > 255.255.255.248
    > > ip nat inside source route-map nonat interface Ethernet0 overload
    > >
    > > If I replace the nat source with the pool, the users can't get to the
    > > client
    > > VPN's. If I leave it as is, and put static nats in for each machine,

    they
    > > can't get to our VPN.
    > >
    > > Has anyone ever encountered this situation before?
    > >
    > > Mike
    > >

    >
    > Two issues here. First it would be nice if the configuration for the vpn
    > clients were so that a static was not required. I think later rev's of

    IOS
    > support this transparently through nat.
    >
    > Second, a static will always take presedence over the dynamically created
    > nat entries. Here is how to fix it.
    >
    >
    > To fix this, you have to trick the router into handing the packet to an
    > interface that does not have an ip nat (inside or outside) statement.

    This
    > is described in the following url: http://tinyurl.com/3fzlu
    >
    > Basically, you do the following.
    >
    > Create a loopback interface without the ip nat statement
    >
    > interface loopback 0
    > ip address 1.1.1.1 255.255.255.0
    >
    > Create an access list to match the traffic that is being inadvertantly
    > nat'ed
    >
    > access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255
    >
    > the host (x.x.x.x) is private ip of the statically natted pair
    > because nat has not happened yet. y.y.y is your network and
    > I assumed class c.
    >
    > Create a route-map to match the traffic and set the next hop out the loop
    > int.
    >
    > route-map lanint permit 10
    > match ip address 199
    > set ip next-hop 1.1.1.2
    >
    >
    >
    Mikhael47, Sep 3, 2004
    #3
  4. Mikhael47

    Mikhael47 Guest

    Question, why does the next hop have to be set to 1.1.1.2 ?

    Mike

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message
    news:41383a8c$...
    >
    > "Mikhael47" <> wrote in message
    > news:f4KZc.23197$...
    > >I have a head office with a 2621 router. It's got crypto setup on it so
    > > that our branch office with a 1710 can connect into it.
    > >
    > > Our branch office is connected via an ISP to the net. They provided a
    > > block
    > > of static IP's to use.
    > >
    > > I use nat at the branch office. I use a route-map to get around the Nat
    > > when they connect to our VPN.
    > >
    > > This becomes a problem when the users try and make connections out to
    > > client
    > > IPSec vpns. They can't make the connection unless I make a static nat
    > > translation for them. When I make the translation, the static nat takes
    > > precedence over the route-map to get to our VPN and they can no longer
    > > connect.
    > >
    > > Here are the relevant parts of my branch office config:
    > >
    > > ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
    > > 255.255.255.248
    > > ip nat inside source route-map nonat interface Ethernet0 overload
    > >
    > > If I replace the nat source with the pool, the users can't get to the
    > > client
    > > VPN's. If I leave it as is, and put static nats in for each machine,

    they
    > > can't get to our VPN.
    > >
    > > Has anyone ever encountered this situation before?
    > >
    > > Mike
    > >

    >
    > Two issues here. First it would be nice if the configuration for the vpn
    > clients were so that a static was not required. I think later rev's of

    IOS
    > support this transparently through nat.
    >
    > Second, a static will always take presedence over the dynamically created
    > nat entries. Here is how to fix it.
    >
    >
    > To fix this, you have to trick the router into handing the packet to an
    > interface that does not have an ip nat (inside or outside) statement.

    This
    > is described in the following url: http://tinyurl.com/3fzlu
    >
    > Basically, you do the following.
    >
    > Create a loopback interface without the ip nat statement
    >
    > interface loopback 0
    > ip address 1.1.1.1 255.255.255.0
    >
    > Create an access list to match the traffic that is being inadvertantly
    > nat'ed
    >
    > access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255
    >
    > the host (x.x.x.x) is private ip of the statically natted pair
    > because nat has not happened yet. y.y.y is your network and
    > I assumed class c.
    >
    > Create a route-map to match the traffic and set the next hop out the loop
    > int.
    >
    > route-map lanint permit 10
    > match ip address 199
    > set ip next-hop 1.1.1.2
    >
    >
    >
    Mikhael47, Sep 3, 2004
    #4
  5. Mikhael47

    Mikhael47 Guest

    Nevermind, I got it.. ehhe.. works flawlessly.

    Thanks all

    Mike
    "Mikhael47" <> wrote in message
    news:K10_c.26233$...
    > I see, setup the policy route map on the internal interface. I hope this
    > will work on 12.2(7b)
    >
    > This makes a lot of sense.. It will solve another problem for me too.
    >
    > Mike
    >
    > "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in

    message
    > news:41383a8c$...
    > >
    > > "Mikhael47" <> wrote in message
    > > news:f4KZc.23197$...
    > > >I have a head office with a 2621 router. It's got crypto setup on it

    so
    > > > that our branch office with a 1710 can connect into it.
    > > >
    > > > Our branch office is connected via an ISP to the net. They provided a
    > > > block
    > > > of static IP's to use.
    > > >
    > > > I use nat at the branch office. I use a route-map to get around the

    Nat
    > > > when they connect to our VPN.
    > > >
    > > > This becomes a problem when the users try and make connections out to
    > > > client
    > > > IPSec vpns. They can't make the connection unless I make a static nat
    > > > translation for them. When I make the translation, the static nat

    takes
    > > > precedence over the route-map to get to our VPN and they can no longer
    > > > connect.
    > > >
    > > > Here are the relevant parts of my branch office config:
    > > >
    > > > ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
    > > > 255.255.255.248
    > > > ip nat inside source route-map nonat interface Ethernet0 overload
    > > >
    > > > If I replace the nat source with the pool, the users can't get to the
    > > > client
    > > > VPN's. If I leave it as is, and put static nats in for each machine,

    > they
    > > > can't get to our VPN.
    > > >
    > > > Has anyone ever encountered this situation before?
    > > >
    > > > Mike
    > > >

    > >
    > > Two issues here. First it would be nice if the configuration for the

    vpn
    > > clients were so that a static was not required. I think later rev's of

    > IOS
    > > support this transparently through nat.
    > >
    > > Second, a static will always take presedence over the dynamically

    created
    > > nat entries. Here is how to fix it.
    > >
    > >
    > > To fix this, you have to trick the router into handing the packet to an
    > > interface that does not have an ip nat (inside or outside) statement.

    > This
    > > is described in the following url: http://tinyurl.com/3fzlu
    > >
    > > Basically, you do the following.
    > >
    > > Create a loopback interface without the ip nat statement
    > >
    > > interface loopback 0
    > > ip address 1.1.1.1 255.255.255.0
    > >
    > > Create an access list to match the traffic that is being inadvertantly
    > > nat'ed
    > >
    > > access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255
    > >
    > > the host (x.x.x.x) is private ip of the statically natted pair
    > > because nat has not happened yet. y.y.y is your network and
    > > I assumed class c.
    > >
    > > Create a route-map to match the traffic and set the next hop out the

    loop
    > > int.
    > >
    > > route-map lanint permit 10
    > > match ip address 199
    > > set ip next-hop 1.1.1.2
    > >
    > >
    > >

    >
    >
    Mikhael47, Sep 3, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. S W

    VPN over wifi woes

    S W, Jan 8, 2006, in forum: Wireless Networking
    Replies:
    0
    Views:
    481
  2. Rik Bain

    Re: Pix501 VPN Woes - help needed

    Rik Bain, Jul 11, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,257
    Ian Easson
    Jul 16, 2003
  3. Greg
    Replies:
    0
    Views:
    440
  4. Allan Wilson

    VPN, from nat without VPN to nat with it

    Allan Wilson, Jul 5, 2004, in forum: Cisco
    Replies:
    1
    Views:
    531
    Walter Roberson
    Jul 5, 2004
  5. NAT woes Cisco 1800

    , Mar 19, 2008, in forum: Cisco
    Replies:
    1
    Views:
    577
    Scooty
    Mar 20, 2008
Loading...

Share This Page