Simultaneous NAT overload (internet) and NAT overlapping for IPsec

Hi all,

Have been bashing my head against this for the last couple of days and was wondering if anyone might be able to take a look at the config and point where I might be approaching this wrong...

My current lab is configured as:

Two sites (SITE1/SITE2) connected via a third third router (ISP) - There is a pure IPsec tunnel between SITE1 and SITE2. Both SITE1 and SITE2 have overlapping IP addresses (SITE1 uses 10.1.1.0/24 and SITE2 uses 10.0.0.0/16 and 192.168.80.0/24 - however, we're only presented with access to 10.81.0.0/18 via the IPsec VPN)

Okay... Overlapping NAT's - I need to remap what each end see's as its destination - SITE2 sees SITE1 as 192.168.40.0/24 (rather than

10.1.1.0/24) and SITE1 see's SITE2 without translation (as we'll never be talking to their 10.0.0.0/16 anyway, only 10.81.0.0/18 which doesn't match our internal 10.1.1.0/24 subnet)

SITE1 also has an internet connection via ISP1 which is used to simultate access to the internet via a NAT overload statement (multiple machines in SITE1 need to access the internet via a single internet IP.

SITE1's internal IP is 10.1.1.1/24 SITE1's external IP is 203.1.1.2/24

ISP1's link to SITE1 is on 203.1.1.1/24 ISP1's link to SITE2 is on 203.2.2.1/24

SITE2's internal IP's are 10.81.0.1/18 and 192.168.80.1/24. SITE2's external IP is 203.2.2.2/24

IPsec traffic between workstations located within SITE1 to workstations within SITE2 is fine (on either 192.168.80.0/24 or

10.81.0.0/18 subnets) however, I'm unable to access the internet via the NAT overload from SITE1.

Your assistance is muchly appreciated - I'm sure it can be done and I'm positive I'm well on the way to making it happen, but for the life of me, I just can't make that last 'step' to actually having it work.

Results of "debug ip nat detailed" on SITE1 when attempting to ping from SITE1PC (10.1.1.10)

Code:

SITE1#

*Mar 1 02:12:05.459: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [30] *Mar 1 02:12:05.463: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [30] *Mar 1 02:12:05.467: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [30] *Mar 1 02:12:05.603: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [30] *Mar 1 02:12:05.607: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [30] *Mar 1 02:12:05.663: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [31] *Mar 1 02:12:05.663: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [31] *Mar 1 02:12:05.675: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [31] *Mar 1 02:12:05.679: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [31] *Mar 1 02:12:05.691: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [32] *Mar 1 02:12:05.691: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [32] *Mar 1 02:12:05.707: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [32] *Mar 1 02:12:05.711: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [32] *Mar 1 02:12:05.723: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [33] *Mar 1 02:12:05.723: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [33] *Mar 1 02:12:05.731: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [33] *Mar 1 02:12:05.735: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [33] *Mar 1 02:12:05.751: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [34] *Mar 1 02:12:05.751: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [34] *Mar 1 02:12:05.791: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [34] *Mar 1 02:12:05.795: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [34]

As we can see, 10.1.1.10 is being translated to 192.168.40.10 and then passed via IPsec to 10.81.0.10 (SITE2PC) and the same occurs coming back.

However, when attempting to ping 'an internet site' (eg, SITE2's interface on ISP1) its "also" translating the addresses across to

192.168.40.10...

Code:

*Mar 1 02:12:19.095: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [35] *Mar 1 02:12:19.099: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [35] *Mar 1 02:12:19.099: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [35] *Mar 1 02:12:21.091: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [36] *Mar 1 02:12:21.091: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [36] *Mar 1 02:12:23.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [37] *Mar 1 02:12:23.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [37] *Mar 1 02:12:25.055: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [38] *Mar 1 02:12:25.055: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [38] *Mar 1 02:12:27.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [39] *Mar 1 02:12:27.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [39]

I'm guessing this is definitely the issue - eg, it appears to be attempting to translate ALL traffic from 10.1.1.x to 192.168.40.x (where x be 10 for this test) although it should ONLY be translating

10.1.1.x to 192.168.40.x for traffic destined to 192.168.80.0/24 or 10.81.0.0/18....

Needless to say, updating the INTERNAL-OVERLOAD-TO-INTERNET ACL to allow for 192.168.40.0 doesn't work (and I dont believe it should double NAT (NAT to 192.168.40.10 and then NAT overload as 203.1.1.2)

Something to do with the route maps maybe?

Anyone know the differences between using "ip policy route-map" on the internal interface versus "ip nat inside source route-map...." at NAT level?

Obviously, pinging the external interface of SITE1 from SITE1PC (eg,

203.1.1.2 from 10.1.1.10) works fine - however, I can't ping the ISP side of the ISP-SITE1 link (203.1.1.1)

--[SITE1 ROUTER CONFIG]--

! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SITE1 ! boot-start-marker boot-end-marker ! logging buffered 51200 ! no aaa new-model memory-size iomem 5 ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key cisco123 address 203.2.2.2 ! ! crypto ipsec transform-set myset esp-des esp-md5-hmac mode transport ! crypto map mymap 10 ipsec-isakmp set peer 203.2.2.2 set transform-set myset match address MYMAP-PERMIT-SITE2-COMM2 ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/0 description External Interface - SITE1 ip address 203.1.1.2 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex crypto map mymap ! interface FastEthernet0/1 description Internal Interface - SITE1 ip address 10.1.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip policy route-map RMAP1 speed 100 full-duplex ! ip route 0.0.0.0 0.0.0.0 203.1.1.1 ! ! ip http server no ip http secure-server ip nat pool NATPOOL-FOR-SITE2COMM 192.168.40.1 192.168.40.254 prefix- length 24 type match-host ip nat pool NATPOOL-FOR-INTERNET 203.1.1.2 203.1.1.2 prefix-length 30 ip nat inside source list INTERNAL-NAT-FOR-SITE2COMM pool NATPOOL-FOR- SITE2COMM ip nat inside source list INTERNAL-OVERLOAD-TO-INTERNET pool NATPOOL- FOR-INTERNET overload ! ip access-list extended INTERNAL-NAT-FOR-SITE2COMM permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255 permit ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255 deny ip any any log ip access-list extended INTERNAL-OVERLOAD-TO-INTERNET deny ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255 deny ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255 permit ip 10.1.1.0 0.0.0.255 any log ip access-list extended MYMAP-PERMIT-SITE2-COMM2 permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255 permit ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255 deny ip any any log ip access-list extended RMAP1-PERMIT-SITE2-COMM permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255 permit ip 10.1.1.0 0.0.0.255 10.81.0.0 0.0.63.255 deny ip any any ! access-list 1 permit any ! ! route-map RMAP1 permit 10 match ip address RMAP1-PERMIT-SITE2-COMM set ip next-hop 1.1.1.2 ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 login ! ! end

Reply to
jayteezer
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.