Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSec NAT Bypass with Static NAT 1

Status
Not open for further replies.

candersoncc

IS-IT--Management
Jun 14, 2008
19
US

Site A Has a Cisco PIX with Dynamic NAT and a single external IP.

Site B has a Cisco 1811 with 2 Static 1:1 NAT entries, and the rest of the internal hosts on a dynamic NAT sharing an IP.

There is an IPSEC tunnel between the 2 sites which works, except when trying to access hosts that have static NAT mappings at Site B from Site A.

I am pretty sure what is happening is that traffic returning from site B hits the router, and does NOT bypass NAT due to the static entries. For the hosts on dynamic NAT, the following entry allows them to bypass NAT for IPSEC:

ip nat inside source list 175 interface FastEthernet0 overload

What is the best way to allow bypass of the static NAT entries for IPSEC as well?

I tried this, but it didn't work (with the NAT pool containing all the external IPS)

ip nat source list 175 pool EXTERNAL_IPS

I'll post parts of my config if needed. Any assistance would be appreciated.
 
Exclude the IPSEC pool from being natted by denying them in the acl.

Burt
 
Sorry, I forgot to mention. Access list 175 already denies those ranges currently. I am using the same exclusion list for excluding the dynamic NAT as I am for the static ones (via the pool).

For some reason it is still not bypassing NAT, however. I am certain I am overlooking something. I'd mess with it more, but I am currently connecting remotely, and don't want to break NAT.

Below is the pertainant part of my config...

ip nat pool EXTERNAL_IPS xx.xxx.xxx.2 xx.xxx.xxx.31 netmask 255.255.255.224
ip nat source list 175 pool EXTERNAL_IPS
ip nat inside source list 175 interface FastEthernet0 overload
ip nat inside source static udp 10.100.1.201 53 interface FastEthernet0 53
ip nat inside source static 10.100.1.229 xx.xxx.xxx.2
ip nat inside source static 10.100.1.204 xx.xxx.xxx.3
access-list 175 deny ip 10.100.0.0 0.0.255.255 10.4.1.0 0.0.0.255
access-list 175 permit ip 10.100.1.0 0.0.0.255 any
access-list 175 permit ip 10.100.10.0 0.0.0.255 any
 
What is at 10.4.1.0/24?
What is the NAT pool? You need deny ip from any to vpn_pool...

Burt
 
10.100.x.x/16 is the local (Site B) network, and 10.4.1.x/24 is the remote (Site A) network. The NAT pool is just a range of public IP addresses.

access-list 175 deny ip 10.100.0.0 0.0.255.255 10.4.1.0 0.0.0.255

The above works for every host except the ones that have 1:1 NAT entries. The servers with static NAT are contained within the same range (10.100.0.0/16).

Thank you for your response, by the way.
 
I wonder since they are all private IP's if you can just use port mappings instead of static NAT...

Burt
 
I technically could... Except that I need outbound connections from those internal IPs to use their static NAT entries (one of them is a mail server, so it needs to present it's proper IP on outbound SMTP connections).

There has got to be a way to bypass NAT for certain addresses with Static NAT too.
 
Any ideas on how this can be done while using static NAT?
 
You may have more luck in the PIX/ASA forum. I am not that privy on VPN's myself. Sorry.

Burt
 

I was able to find a solution after scouring Cisco's website for awhile.

For anyone interested, it goes something like this...

I added an exclusion for the 2 IPs that are being static NATed to the access list that controls dynamic NAT (I probably should have done that anyway).

I then added route-map to the end of the static nat command, and set up a route map that pointed to an access list which denied the ranges I didn't want to NAT:

ip nat inside source static 10.100.1.229 x.x.x.a route-map nonat1 extendable
ip nat inside source static 10.100.1.204 x.x.x.b route-map nonat2 extendable

route-map nonat1 permit 10
match ip address 176

route-map nonat2 permit 10
match ip address 177

Apparently NAT entries are read top-down and follow first match (but are overridden by subsequent matches).
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top