Natting source and dest with vpn help!!

petersb · May 7, 2005

I have an issue with a 2600 router. My problem basically is that I only see nat translations going one way. The return packets are not natted back. I don't know why.

Network Layout:
10.253.23.19----------------------192.168.205.1----192.168.205.10--192.168.206.10-----192.168.206.21
client---------------routr---------------routr-----------------------fwall------------------------------server

External client connected to serial interface

Internel network connected to Fast ethernet. This connects directly to our checkpoint fwall.

On another interface of the firewall we have a dmz which I want external clients to have access to

Firewall routes all packets across the two interfaces

So basically what I'm trying to acheive is this. A packet comes in on the serial interface. It's source IP gets natted to an IP address on the internal network. It's destination ip gets natted to the correct IP of the server on the DMZ attached to the firewall.

client Source IP 10.253.23.19 Natted to 192.168.206.60
Client Dest IP 192.168.213.25 Natted to 192.168.206.21

Below is router config and some packet dumps
Building configuration...

Current configuration : 3012 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 enable password
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key -------------- address 10.253.23.1
crypto isakmp key -------------- address 10.253.24.1
!
!
crypto ipsec transform-set CLIENT esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
no crypto ipsec nat-transparency udp-encaps
!
crypto map CLIENT local-address FastEthernet0/0
crypto map CLIENT 10 ipsec-isakmp
set peer 10.253.23.1
set peer 10.253.24.1
set transform-set CLIENT
match address CLIENT
!
!
!
!
interface FastEthernet0/0
ip address 192.168.205.1 255.255.255.0
ip nat inside
speed auto
full-duplex
no cdp enable
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0.16 point-to-point
ip address 10.10.10.10 255.255.255.252
ip nat outside
frame-relay interface-dlci 16
crypto map CLIENT
!
router bgp 65004
no synchronization
bgp always-compare-med
bgp log-neighbor-changes
network 192.168.205.0
network 192.168.213.0
neighbor 10.10.10.9 remote-as 7474
neighbor 10.10.10.9 prefix-list CLIENT-US in
neighbor 10.10.10.9 prefix-list US-CLIENT out
neighbor 10.10.10.9 route-map SETMED out
neighbor 192.168.205.2 remote-as 65004
neighbor 192.168.205.2 next-hop-self
no auto-summary
!
ip nat inside source static 192.168.206.21 192.168.213.19
ip nat inside source static 192.168.206.22 192.168.213.20
ip nat inside source static 192.168.206.25 192.168.213.21
ip nat inside source static 192.168.206.24 192.168.213.22
ip nat outside source static 10.253.23.19 192.168.205.60
ip nat outside source static 10.253.23.20 192.168.205.61
ip nat outside source static 10.253.24.19 192.168.205.70
ip nat outside source static 10.253.24.20 192.168.205.71
ip http server
no ip http secure-server
ip classless
ip route 192.168.10.0 255.255.255.0 192.168.205.10
ip route 192.168.100.0 255.255.255.0 192.168.205.10
ip route 192.168.206.0 255.255.255.0 192.168.205.10
!
!
!
ip prefix-list CLIENT-US seq 10 permit 10.253.23.0/24
ip prefix-list CLIENT-US seq 20 permit 10.253.24.0/24
!
ip prefix-list US-CLIENT seq 10 permit 192.168.213.0/24
ip prefix-list US-CLIENT seq 20 permit 192.168.214.0/24
ip prefix-list US-CLIENT seq 30 permit 192.168.205.0/24
!
ip access-list extended CLIENT
remark VPN Traffic from US to CLIENT
permit ip 192.168.213.0 0.0.0.255 10.253.23.0 0.0.0.255
permit ip 192.168.213.0 0.0.0.255 10.253.24.0 0.0.0.255
!
route-map SETMED permit 10
set metric 100
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password
login

end

Debug

*Mar 1 00:53:59.794: NAT: o: tcp (10.253.23.19, 27019) -> (192.168.213.19, 3389
) [14306]
*Mar 1 00:53:59.794: NAT: s=10.253.23.19->192.168.205.60, d=192.168.213.19 [143
06]
*Mar 1 00:53:59.794: NAT: s=192.168.205.60, d=192.168.213.19->192.168.206.21 [1
4306]
*Mar 1 00:53:59.794: IP: tableid=0, s=192.168.205.60 (Serial0/0.16), d=192.168.
206.21 (FastEthernet0/0), routed via FIB
*Mar 1 00:53:59.798: IP: s=192.168.205.60 (Serial0/0.16), d=192.168.206.21 (Fas
tEthernet0/0), g=192.168.205.10, len 44, forward
*Mar 1 00:53:59.798: IP: tableid=0, s=192.168.206.21 (FastEthernet0/0), d=192.1
68.205.60 (FastEthernet0/0), routed via RIB
*Mar 1 00:53:59.798: IP: s=192.168.206.21 (FastEthernet0/0), d=192.168.205.60 (
FastEthernet0/0), len 44, rcvd 3
*Mar 1 00:53:59.798: IP: tableid=0, s=192.168.205.60 (local), d=192.168.206.21
(FastEthernet0/0), routed via FIB
*Mar 1 00:53:59.802: IP: s=192.168.205.60 (local), d=192.168.206.21 (FastEthern
et0/0), len 40, sending

Thanks in advance

bell1996 · Aug 4, 2005

petersb -

You may want to setup a GRE tunnel between the two IPSec endpoints. Then setup the GRE tunnel as a NAT outside interface. Right now, you have IPSec and NAT on the same interface and it may be confusing the router.

Usually, you don't NAT traffic thru an IPSec tunnel. But, it seems that this is what you want to do.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Natting source and dest with vpn help!!

petersb

MIS

bell1996

Technical User

Similar threads

Part and Inventory Search

Sponsor