Cisco NAT overlap and VPN

Curiosityx

Curiosityx

Curiosityx

Soldato
Joined
17 Oct 2002
Posts
3,941
Location
West Midlands
Greetings, im looking at an appropriate method of setting up Vpn tunnels between customer sites and our head office for the purpose of snmp management.

Now the only potential issue i can see is that some clients may well be using the same private address ranges (RFC1918) as other customer sites as well as the head office subnet making routing a potential hazard.

Now ive drawn a sample diagram below using theoretical ip addresses, each site uses PAT on there outside global address to allow the inside network users outbound internet access.

Is it possible to then setup site to site vpn connections to each site but apply NAT to the endpoint on the customer side to mask the real inside global subnet so that it doesnt conflict with other customer sites or the head office?

natoverlap.jpg



Any suggestions on how to go about this would be appreciated, my head hurts!
 
Hi Curiosityx,

In short, yep it's possable - I did it for a third party that connects into our company.

We had a situation where their 'private' network overlapped with one being used by another VPN, so we had to
a. make sure they could still access the Web
b. build the VPN to us
c. nat to us prior to the vpn

I think I did it with route-maps but I can't be sure - give me a few mins and I'll look up the configs...

Kev
 
ok - from your other thread I've nabbed the config from router B and while the internal network is going to remain as 192.168.4.0/24, when it goes over the VPN it'll be natted to 192.168.2.0/24

Code: 
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wg_ro_b
!
boot-start-marker
boot-end-marker
!
!
username icadmin privilege 15 secret 5 $1$xG62$ks5JzJ0cUdd4pk5zyh4jV0
no aaa new-model
ip subnet-zero
!
!
no ip domain lookup
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool Data
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1 
   dns-server 192.168.4.1 
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string 
!
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key siviter address 2.2.2.2
!
!
crypto ipsec transform-set wgset esp-3des 
!
crypto map wgmap 2 ipsec-isakmp 
 description ****** Link to wg_ro_a ******
 set peer 2.2.2.2
 set security-association lifetime seconds 86400
 set transform-set wgset 
 set pfs group2
 match address 102
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination 
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Serial0/0
 bandwidth 2048
 ip address 3.3.3.2 255.255.255.252
 ip nat outside
 clockrate 128000
 no fair-queue
 crypto map wgmap
!
router eigrp 99
 network 3.3.3.0 0.0.0.3
 no auto-summary
!
ip nat pool testpool 192.168.2.1 192.168.2.254 netmask 255.255.255.0
ip nat inside source route-map vpnnat pool testpool
ip nat inside source route-map nonat interface Serial0/0 overload
ip http server
no ip http secure-server
ip classless
!
!
access-list 100 remark ****** Link to wg_ro_a ******
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 remark ****** NAT ACL  ******
access-list 101 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 remark ***vpn nat***
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 101
route-map vpnnat permit 10
match ip address 100
!
!
!
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
 login local
line vty 0 4
 login local
!
!
!
end

I'll break down the changes in a tick

Kev

/edit

Ok, the first thing to know is that by default, you NAT then VPN.

what I've changed:
ip nat pool testpool 192.168.2.1 192.168.2.254 netmask 255.255.255.0
***Sets up the NAT***

access-list 102 remark ***vpn nat***
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
***Sets up a replacement ACL for the crypto map using the natted addresses - note your existing 'cryptomap' acl (100) is still used***

route-map vpnnat permit 10
match ip address 100
***Sets up a route map to match the ACL for traffic you want to NAT***

ip nat inside source route-map vpnnat pool testpool
***NAT internal Traffic***

crypto map wgmap 2 ipsec-isakmp:
match address 102
***matches the internal natted traffic to allow it down the VPN***

I think that's it...

Kev
 
Last edited:
I can imagine, think for the most part im going to hold a gun to the customers head and get them to change there private address range or put the management station in either a dmz or separate vlan.
 
Just one more quick question on the other end of the tunnel would i have to modify the acl permitting traffic to be encrypted to allow the 192.168.2.0/24 network or would the source address still appear to come from the 192.168.4.0/24 network?

For example take the current Router "B" which is translating the address between 4.0/24 and 2.0/24

On Router "A" would i then have to modify the existing acl being

(RouterA) access-list 100 remark ****** Link to wg_ro_b ******
(RouterA) access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

to

(RouterA) access-list 100 remark ****** Link to wg_ro_b ******
(RouterA) access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
(RouterA) access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

Regards
 
ah, yeah - forgot to mention that!

The ACL on the crypto-map at the other end needs to be a mirror of the new Natted addresses, so on Router A:
access-list 100 remark ****** Link to wg_ro_b ******
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

The routing would also need to change on the 'A' side of the network because you're not sending to the 192.168.4.0/24 network, so from Router A's prospective it doesn't exist and 192.168.2.0/24 would have to be routed instead.

Kev
 
You must log in or register to reply here.
Back
Top Bottom