Monday, April 4, 2011

IOS NAT and VPN

Building NAT (PAT or Static) on a Cisco router is fairly well documented and works well. However, I got tripped up again with an implementation today where the PAT would work but then the VPN tunnel would go down!

Case Study

My client has a site to site VPN tunnel to Cust2 with 6 remote networks. All local networks (192.168.0.0/21) communicate to the remote nets with their private IPs. In addition, the local networks get PAT'd to 39.100.3.68 when routed over to the Internet. There is one static NAT that only gets translated to  39.100.3.67 when communicating with 206.96.88.115 out on the Internet. In all other cases it will remain as it's real IP of 192.168.0.76.

Here is the configuration that I built. The VPN tunnel and static NAT rule using a route map to achieve our goal worked. However, as soon as I applied the PAT pool and overload translation, the tunnel went down.

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
crypto isakmp key *** address 209.100.166.20
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map vpnmap 10 ipsec-isakmp
 set peer 209.100.166.20
 set transform-set 3DES-SHA
 match address cust2-vpn

interface GigabitEthernet0/0
 description to Inside
 ip address 192.168.0.8 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 description Internet
 ip address 39.105.128.242 255.255.255.252
 ip nat outside
 crypto map vpnmap
!
ip nat pool natpool 39.100.3.68 39.100.3.68 netmask 255.255.255.0
ip nat inside source list ins_nat_source pool natpool overload
ip nat inside source static 192.168.0.76 39.100.3.67 route-map nat-exempt extendable
!
ip access-list extended cust2-vpn
 permit ip 192.168.0.0 0.0.7.255 192.168.16.0 0.0.0.255
 permit ip 192.168.0.0 0.0.7.255 70.185.0.0 0.0.255.255
 permit ip 192.168.0.0 0.0.7.255 200.106.176.0 0.0.7.255
 permit ip 192.168.0.0 0.0.7.255 200.106.184.0 0.0.1.255
 permit ip 192.168.0.0 0.0.7.255 206.184.246.0 0.0.0.255
 permit ip 192.168.0.0 0.0.7.255 208.134.161.0 0.0.0.255

ip access-list extended ins_nat_source
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 70.185.0.0 0.0.255.255
 deny   ip any 200.106.176.0 0.0.7.255
 deny   ip any 200.106.184.0 0.0.1.255
 deny   ip any 206.184.246.0 0.0.0.255
 deny   ip any 208.134.161.0 0.0.0.255
 permit ip any any

access-list 110 permit ip host 192.168.0.76 host 206.96.88.115
access-list 110 deny   ip host 192.168.0.76 any
!
!
!
route-map nat-exempt permit 1
 match ip address 110
!

The fix is to also include the Internet facing interface into the NAT exempt access rules (ins_nat_source). Even though that interface is on the 'outside', it will get subjected to translation because of the 'permit any any' rule. Here's the fixed access rule:

ip access-list extended ins_nat_source
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 70.185.0.0 0.0.255.255
 deny   ip any 200.106.176.0 0.0.7.255
 deny   ip any 200.106.184.0 0.0.1.255
 deny   ip any 206.184.246.0 0.0.0.255
 deny   ip any 208.134.161.0 0.0.0.255
 deny   ip host 39.105.128.242 any
 permit ip any any




1 comment:

  1. I like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
    NAT/PAT|
    ISDN Configuration

    ReplyDelete