1. Home
  2. Cisco Systems
  3. Cisco 877 NAT and site-site VPN

Cisco 877 NAT and site-site VPN

Hello,

Can you NAT a site-to-site VPN?

I have a Cisco 877 which I have been using for internet access. My internal network 10.10.10.0/24 is hidden behind the router's static external IP address using NAT.

Now I am trying to set up a VPN to another company, Their firewall is

199.99.99.99. Within their network I need to access computers in subnet 177.77.77.0/24

I set up the VPN using Cisco Security Device Manager (SDM) - This changed my NAT rule to use route-map so that the NAT and VPN would not conflict, This means that my internal addresses are not hidden from the other end of the VPN, they see 10.10.10.x as the source address

ip nat inside source list 1 interface Dialer0 overload became ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload route map SDM_RMAP_1 permit 1 match ip address 103 access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 permit ip 10.10.10.0 0.0.0.255 any

However the other company cannot route my 10.10.10.x address within their internal networks because it conflicts with addresses they are using.

I tried deleting access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 in the hope that this would cause it to NAT my traffic inside the VPN but it didn't seem to help.

Can I amend my configuration so that my internal addresses are translated to something they can use? Can I reinstate NAT for the VPN somehow so that the other end sees my traffic as having the IOP-address of the external interface of my router?

Partial config follows

! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key zzzzzzzzzzz address 199.99.99.99 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer 199.99.99.99 set transform-set ESP-3DES-SHA match address 102 ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 10.10.10.254 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxx crypto map SDM_CMAP_1 ! ip local pool vpn-pool 10.10.10.60 10.10.10.69 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip nat inside source static tcp 10.10.10.6 7627 interface Dialer0 3317 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark SDM_ACL Category=17 access-list 101 remark IPSec Rule access-list 101 permit ip 172.29.35.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 permit udp host 199.99.99.99 any eq non500-isakmp access-list 101 permit udp host 199.99.99.99 any eq isakmp access-list 101 permit esp host 199.99.99.99 any access-list 101 permit ahp host 199.99.99.99 any access-list 101 deny ip 10.10.10.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any access-list 101 deny ip 10.10.10.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 permit ip 10.10.10.0 0.0.0.255 any access-list 106 permit ip 10.10.10.0 0.0.0.255 any access-list 106 permit tcp any any eq 22 access-list 106 deny ip any any dialer-list 1 protocol ip permit no cdp run route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! end

Reply to
Ian Wilson
Loading thread data ...

Ian,

As I understand here, you are Natting all your 10.10.10.0/24 network to the Dialer0 address.

If your IPSec tunnel source is this Dialer0 address, your NATted address used by internal LAN should be different.

That is, you have to choose another NAT IP for your LAN.

Imagine what happens in the scenario you described. The IPSec tunnel peer addresses are: Dialer0 interface from your side and 199.99.99.99 in the other end. If your 10.10.10.0/24 is translated to the same address as Dialer0, the 199.99.99.99 would understand any of your LAN host as an IPSec peer. That's why it conflicts.

So you'll have to find an address that does not conflict with the other company and use it as your NAT address.

Regards, Adriano Prado

Reply to
Adriano Prado

Yes, Dialer0 is an ADSL interface, it's IP-address is a single static IP-address allocated by my ISP.

Does that mean I need to have *two* public static IP addresses assigned to my ADSL interface?

Can the LAN have one NAT IP for traffic destined for the Internet and a different NAT IP for traffic to 177.77.77.0 (which is routed into the VPN tunnel)?

If so, could the second NAT IP be any arbitrary IP address that I and the other end agree on? (e.g. 192.168.99.99)

Is there some Cisco documentation that I should read or does anyone have an example configuration that illustrates this?

Reply to
Ian Wilson

Ian,

You don't need a second public IP. You can use the current public IP provided by your ISP to connect to internet and ask this company to provide a private address to you that does not conflict with theirs.

Here follows an example but read more in cisco site

formatting link
access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 permit ip 10.10.10.0 0.0.0.255 any ! route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! access-list 104 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 104 deny ip any any ! route-map SDM_RMAP_2 permit 1 match ip address 104 ! ! ip nat pool PRIVATEPOOL 192.168.99.99 192.168.99.99 netmask

255.255.255.0 ! ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip nat inside source route-map SDM_RMAP_2 pool PRIVATEPOOL overload !

This will NAT your LAN to Dialer0 address to access internet (ACL 103) and ACL 104 will translate access from 10.10.10.0/25 to 177.77.77.0/24 using NATted address supplied in pool PRIVATEPOOL (192.168.99.99).

I think that it's what you're looking for...

And be aware that if you add this configs manually maybe SDM won't understand it and mess it up.

Regards, Adriano

Reply to
Adriano Prado

OK.

formatting link

Yes! Many thanks.

My method of using SDM is as follows:

Save config to nearby TFTP server as SDM-config.1 Use SDM to make some changes Save config to nearby TFTP server as SDM-config.2 Use `diff` to find the differences Hand edit my heavily commented Router-config file (which I keep under version control) Use TFTP to load and test the revised config.

In this way I try to understand what SDM is doing, and avoid becoming dependant on SDM. To apply your suggestions I'll just skip the first four steps, carefully edit my Router-config, then upload and test it.

Many thanks.

Reply to
Ian Wilson

formatting link

A short followup, in case future Googlers find this thread:

The above didn't work straight away, I reasoned that since the source address is now 192.168.99.99 instead of 10.10.10.x, I also had to add rules to the other access lists which determine what traffic gets encapsulated in the VPN.

e.g. to direct this traffic into the VPN tunnel access-list 102 permit ip 192.168.99.0 0.0.0.255 177.77.77.0 0.0.0.255

to exclude it from another round of NAT (for public Internet traffic) access-list 103 deny ip 192.168.99.0 0.0.0.255 177.77.77.0 0.0.0.255

to allow return traffic back in (list 101 sees inside the VPN tunnel?) access-list 101 permit ip 177.77.77.0 0.0.0.255 192.168.99.0 0.0.0.255

It's working now and I can't see a security loophole. so I'm leaving the configuration as it is. However I'm not sure if all these are necessary. Someone may like to comment.

Reply to
Ian Wilson

I have a site-site VPN tunnel working such that I can telnet from any

10.10.10.x PC on my LAN to a 177.77.77.77 server on the remote LAN via a VPN tunnel. NAT is applied so that the far end sees my source address as 192.168.99.99.

If I log on to my router, either using the serial console port or by SSHing from the Internet, how can I adjust the access lists to allow me to telnet from the router to 177.77.77.77?

That is, I am at a router# command prompt in user mode and I want to type `telnet 177.77.77.77` and have my telnet session routed through the VPN tunnel with my source adrress set to 192.168.99.99 from nat pool PRIVATEPOOL.

I assume I need to change my access list 104 so that I get allocated the address from the NAT pool PRIVATEPOOL? I can't work out what source address to use for this rule

access-list 104 permit ip ?????????? 177.77.77.0 0.0.0.255

Ian Wils>

formatting link

Reply to
Ian Wilson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.