VPN's and Nating

**ps3cheats** · 25-Mar-2007, 11:27 PM

Question: If I have setup to nat a device from an internal ip address to an external ip address and this device is part of a VPN (site-to-site), and I setup another separate VPN from this same internal device to a remote device (site-to-site), but with this VPN I don't want to nat the device as in the previous VPN, will I have problems getting trafic to flow across the tunnel in the secon VPN? The device hosting the VPN and performing the nating is a new Cisco 3825 router. I have a situation in my job similar to this I am trying to figure out.

**ps3cheats** · 25-Mar-2007, 11:27 PM

No problems at all.
You have a nat rule for local IP to "any" - or general Internet
You have a different nat rule for local IP to the remote LAN through the VPN tunnel. This is simply defined with an access-list and nat rule.
You many even have a different nat rule that will nat you to another IP, but only if going through VPN1...

Example.
Your IP address = 192.168.222.222
Remote LAN over S-2-S VPN1 = 192.168.199.0/24
External IP natted to for VPN1 = 12.34.56.7
Remote LAN over S-2-S VPN2 = 172.16.16.0/24

You would have a series of access-lists:

access-list 104 permit ip host 12.34.56.7 192.168.199.0 0.0.0.255

access-list 105 permit ip host 192.168.222.222 192.168.199.0

access-list 106 deny ip host 192.168.222.222 172.16.16.0 0.0.0.255
access-list 106 permit ip host 192.168.222.222 any

access-list 107 permit ip host 192.168.222.222 192.168.199.0 0.0.0.255

ip nat inside source route-map nat_rulz1 interface Serial0/0/0 overload
ip nat inside source route-map nat_rulz2 12.34.56.7
route-map nat_rulz1 permit 10
match ip address 105
route-map nat_rulz2 permit 10
match ip address 106

IPSEC policy for VPN#1 matches access-list 104, after the nat process identifies the interesting traffic and nat's it to the public IP (using acl 105, applied by route-map to nat_rulz2)

IPSEC policy for S-2-S VPN#2 matches access-list 107 to define traffic to be encrypted, which uses the 'real' private IP without NAT
Acl 106 exempts (deny) matching traffic from the "normal" nat process, but only if going to the other LAN past the VPN tunnel.

You can see that it is not exactly simple, but certainly can be done.

25-Mar-2007, 11:27 PM	#1 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	VPN's and Nating Question: If I have setup to nat a device from an internal ip address to an external ip address and this device is part of a VPN (site-to-site), and I setup another separate VPN from this same internal device to a remote device (site-to-site), but with this VPN I don't want to nat the device as in the previous VPN, will I have problems getting trafic to flow across the tunnel in the secon VPN? The device hosting the VPN and performing the nating is a new Cisco 3825 router. I have a situation in my job similar to this I am trying to figure out.

25-Mar-2007, 11:27 PM	#2 (permalink)
ps3cheats Fixed Error! Posts: 1,497 Join Date: Mar 2007 Rep Power: 3 IM:	Re: VPN's and Nating No problems at all. You have a nat rule for local IP to "any" - or general Internet You have a different nat rule for local IP to the remote LAN through the VPN tunnel. This is simply defined with an access-list and nat rule. You many even have a different nat rule that will nat you to another IP, but only if going through VPN1... Example. Your IP address = 192.168.222.222 Remote LAN over S-2-S VPN1 = 192.168.199.0/24 External IP natted to for VPN1 = 12.34.56.7 Remote LAN over S-2-S VPN2 = 172.16.16.0/24 You would have a series of access-lists: access-list 104 permit ip host 12.34.56.7 192.168.199.0 0.0.0.255 access-list 105 permit ip host 192.168.222.222 192.168.199.0 access-list 106 deny ip host 192.168.222.222 172.16.16.0 0.0.0.255 access-list 106 permit ip host 192.168.222.222 any access-list 107 permit ip host 192.168.222.222 192.168.199.0 0.0.0.255 ip nat inside source route-map nat_rulz1 interface Serial0/0/0 overload ip nat inside source route-map nat_rulz2 12.34.56.7 route-map nat_rulz1 permit 10 match ip address 105 route-map nat_rulz2 permit 10 match ip address 106 IPSEC policy for VPN#1 matches access-list 104, after the nat process identifies the interesting traffic and nat's it to the public IP (using acl 105, applied by route-map to nat_rulz2) IPSEC policy for S-2-S VPN#2 matches access-list 107 to define traffic to be encrypted, which uses the 'real' private IP without NAT Acl 106 exempts (deny) matching traffic from the "normal" nat process, but only if going to the other LAN past the VPN tunnel. You can see that it is not exactly simple, but certainly can be done.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)