Simultaneous NAT overload (internet) and NAT overlapping for IPsec

[Jayteezer]

Hi all,

Have been bashing my head against this for the last couple of days and was wondering if anyone might be able to take a look at the config and point where I might be approaching this wrong...

My current lab is configured as:

Two sites (SITE1/SITE2) connected via a third third router (ISP) - There is a pure IPsec tunnel between SITE1 and SITE2. Both SITE1 and SITE2 have overlapping IP addresses (SITE1 uses 10.1.1.0/24 and SITE2 uses 10.0.0.0/16 and 192.168.80.0/24 - however, we're only presented with access to 10.81.0.0/18 via the IPsec VPN)

Okay... Overlapping NAT's - I need to remap what each end see's as its destination - SITE2 sees SITE1 as 192.168.40.0/24 (rather than 10.1.1.0/24) and SITE1 see's SITE2 without translation (as we'll never be talking to their 10.0.0.0/16 anyway, only 10.81.0.0/18 which doesn't match our internal 10.1.1.0/24 subnet)

SITE1 also has an internet connection via ISP1 which is used to simultate access to the internet via a NAT overload statement (multiple machines in SITE1 need to access the internet via a single internet IP.

SITE1's internal IP is 10.1.1.1/24
SITE1's external IP is 203.1.1.2/24

ISP1's link to SITE1 is on 203.1.1.1/24
ISP1's link to SITE2 is on 203.2.2.1/24

SITE2's internal IP's are 10.81.0.1/18 and 192.168.80.1/24.
SITE2's external IP is 203.2.2.2/24

IPsec traffic between workstations located within SITE1 to workstations within SITE2 is fine (on either 192.168.80.0/24 or 10.81.0.0/18 subnets) however, I'm unable to access the internet via the NAT overload from SITE1.

Your assistance is muchly appreciated - I'm sure it can be done and I'm positive I'm well on the way to making it happen, but for the life of me, I just can't make that last 'step' to actually having it work.

 

[Jayteezer]

Results of "debug ip nat detailed" on SITE1 when attempting to ping from SITE1PC (10.1.1.10)

Code:

SITE1#
*Mar 1 02:12:05.459: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [30]
*Mar 1 02:12:05.463: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [30]
*Mar 1 02:12:05.467: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [30]
*Mar 1 02:12:05.603: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [30]
*Mar 1 02:12:05.607: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [30]
*Mar 1 02:12:05.663: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [31]
*Mar 1 02:12:05.663: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [31]
*Mar 1 02:12:05.675: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [31]
*Mar 1 02:12:05.679: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [31]
*Mar 1 02:12:05.691: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [32]
*Mar 1 02:12:05.691: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [32]
*Mar 1 02:12:05.707: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [32]
*Mar 1 02:12:05.711: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [32]
*Mar 1 02:12:05.723: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [33]
*Mar 1 02:12:05.723: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [33]
*Mar 1 02:12:05.731: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [33]
*Mar 1 02:12:05.735: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [33]
*Mar 1 02:12:05.751: NAT*: i: icmp (10.1.1.10, 6) -> (10.81.0.10, 6) [34]
*Mar 1 02:12:05.751: NAT*: s=10.1.1.10->192.168.40.10, d=10.81.0.10 [34]
*Mar 1 02:12:05.791: NAT*: o: icmp (10.81.0.10, 6) -> (192.168.40.10, 6) [34]
*Mar 1 02:12:05.795: NAT*: s=10.81.0.10, d=192.168.40.10->10.1.1.10 [34]

As we can see, 10.1.1.10 is being translated to 192.168.40.10 and then passed via IPsec to 10.81.0.10 (SITE2PC) and the same occurs coming back.

However, when attempting to ping 'an internet site' (eg, SITE2's interface on ISP1) its "also" translating the addresses across to 192.168.40.10...

Code:

*Mar 1 02:12:19.095: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [35]
*Mar 1 02:12:19.099: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [35]
*Mar 1 02:12:19.099: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [35]
*Mar 1 02:12:21.091: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [36]
*Mar 1 02:12:21.091: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [36]
*Mar 1 02:12:23.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [37]
*Mar 1 02:12:23.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [37]
*Mar 1 02:12:25.055: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [38]
*Mar 1 02:12:25.055: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [38]
*Mar 1 02:12:27.071: NAT*: i: icmp (10.1.1.10, 7) -> (203.2.2.1, 7) [39]
*Mar 1 02:12:27.071: NAT*: s=10.1.1.10->192.168.40.10, d=203.2.2.1 [39]

I'm guessing this is definitely the issue - eg, it appears to be attempting to translate ALL traffic from 10.1.1.x to 192.168.40.x (where x be 10 for this test) although it should ONLY be translating 10.1.1.x to 192.168.40.x for traffic destined to 192.168.80.0/24 or 10.81.0.0/18....

Needless to say, updating the INTERNAL-OVERLOAD-TO-INTERNET ACL to allow for 192.168.40.0 doesn't work (and I dont believe it should double NAT (NAT to 192.168.40.10 and then NAT overload as 203.1.1.2)

Something to do with the route maps maybe?

Anyone know the differences between using "ip policy route-map" on the internal interface versus "ip nat inside source route-map...." at NAT level?

Obviously, pinging the external interface of SITE1 from SITE1PC (eg, 203.1.1.2 from 10.1.1.10) works fine - however, I can't ping the ISP side of the ISP-SITE1 link (203.1.1.1)

 

[burtsbees]

I would say off top to deny 10.1.1.0/24 to 192.168.40.0/24

SITE1(config)#ip access-list extended INTERNAL-OVERLOAD-TO-INTERNET
SITE1(config-ext-nacl)#5 deny ip 10.1.1.0 0.0.0.255 192.168.40.0 0.0.0.255

Also, I would not use a NAT pool for the one external IP address for the internet nat overload statement...

ip nat inside source list INTERNAL-OVERLOAD-TO-INTERNET int fa0/0 overload

I was brainstorming and thinking of NATting to the loopback, subinterfaces, etc., but am not coming up with anything...

Why the ip policy on fa0/0? Just to set the next hop to the SITE2 loopback for VPN traffic, I assume? Do you think that it is necessary? I'm having a serious brain-fart mentalpause moment over that...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Jayteezer]

Hi Burtsbees,

Yup, already tried that (adding 10.1.1.0 -> 192.168.40.0 into INTERNAL-OVERLOAD-TO-INTERNET) - Same thing - IPsec works but not overload NAT. (not even an entry logged when I added the log statement)

I'm using a pool because I expect they're going to eventually have a larger (and multiple) ranges, but for your satisfaction, I've actually already tried interface versus pool for the overload - same problem... Was actually the first thing I tried when I discovered my theory didn't entirely work

There is no IP policy on fa0/0 as its the outbound (internet facing) interface. The IP policy is on fa0/1 being the inside interface (given its incoming traffic from that interface we're interested in - being LAN traffic)

 

[Jayteezer]

Also, realised I'd mentioned above that SITE2 was using 10.0.0.0/16 - They're not, its 10.0.0.0/8 and hence the requirement to NAT our 10.1.1.0/24 subnet as 192.168.40.0/24 for all traffic destined to/from SITE2.