Cisco – How to configure nat for an IPSec VPN
Posted by Josh on Wed 5 Dec 2007Categories: Cisco , Cisco Routers - [20] Comments
In previous tutorials, I showed you how to configure a branch office ipsec vpn and how to configure nat overload on an internet router. This tutorial will combine the two.
Traffic destined for the VPN tunnel cannot be natted. It needs to travel through the vpn tunnel untranslated. A special nat configuration must be used to prevent vpn "interesting" traffic from being translated while still translating normal internet bound traffic.
There are two ways to prevent outbound VPN traffic from being translated ( access-list or route-map ) but only one way for inbound traffice ( route-map ) . I prefer to use a route-map because I only have to build the route-map configuration once and it can be used for both inbound and outbound nat statements. Here is a Cisco document explaining NAT for IPSec VPNs.
Here is the short list of commands
router#config t
router(config)#
router(config)#ip access-list extended NAT
router(config-ext-acl)#deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
router(config-ext-acl)#permit ip any any
router(config-ext-acl)#
router(config-ext-acl)#exit
router(config)#
router(config)#route-map POLICY-NAT 10
router(config-route-map)#match ip address NAT
router(config-route-map)#
router(config-route-map)#exit
router(config)#
router(config)#ip nat source route-map POLICY-NAT interface s0/0 overload
router(config)#
router(config)#ip nat inside source static tcp 192.168.1.10 25 12.34.56.2 25 route-map POLICY-NAT extendable
router(config)#
router(config)#interface f1/0
router(config-if)#ip nat inside
router(config-if)#
router(config-if)#interface s0/0
router(config-if)#ip nat outside
router(config-if)#
router(config-if)#end
router#
router# copy run start
This static nat part was not shown in the video tutorial but the command is listed above. The above example translates smtp traffic for public ip address 12.34.56.2 to internal server 192.168.1.10.
January 17th, 2008 at 1:31 am
Hi,
Please me the link of your privious tutorial link.
Thanks in advance
January 17th, 2008 at 8:42 am
http://www.blindhog.net/cisco-how-to-configure-an-ipsec-vpn/
http://www.blindhog.net/cisco-how-to-configure-nat-overload-pat/
May 24th, 2008 at 3:35 am
i would like to thank you
this really helpful , not only this topic but every LAB u do is really helpful in my work or as I’m trying to take my CCNP
… just wanna say thanx and keep up the good work
May 25th, 2008 at 3:54 pm
@zidan, You’re welcome. Glad to hear they have helped.
June 10th, 2008 at 2:00 pm
excellent. Its really helpful.
August 11th, 2008 at 9:12 pm
Nice job. It’s difficult for beginners to realize how to manage NAT, ACLs and VPN tunnels.
August 12th, 2008 at 11:00 pm
Thanks Andrew
September 15th, 2008 at 8:55 am
Thank you very much
October 11th, 2008 at 10:26 pm
I am having an issue. I have setup a IPSEC VPN Site-to-Site connection. Works a treat. One problem though. Since doing this and using the route-map so it doesnt NAT traffic for IPSEC vpn. internal NAT no longer works to gain access to the internet.
ip nat source route-map NAT interface Dialer0 overload
ip nat inside source static tcp 10.0.0.10 3389 interface Dialer0 3389
!
ip access-list extended NAT
permit ip any any
deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
!
route-map POLICY-NAT permit 10
match ip address NAT
That works for the vpn. but as soon as i add the command
ip nat inside source list 102 interface dialer0 overload
it all dies. Any help would be great.
So in summary i need internet acess for all clients on internal network. but vpn traffic needs to go through the ipsec tunnel un natted.
Cheers,
Andrew
October 13th, 2008 at 10:47 am
Andrew,
The deny and permit statements in the NAT access-list are in the wrong order.
ip access-list extended NAT
permit ip any any
deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
The deny statement should be before the permit statement.
You should not need to add the “ip nat inside source list 102 interface dialer0 overload” command. The route-map should take care of it.
Another thing … you want to use the route-map on your static nat statement for RDP traffic. Otherwise, it will not work correctly.
Josh
October 16th, 2008 at 10:10 pm
Hi guys nice topic.Though a bit out of topic,I wanted to find out if you can have point to point IPSEC VPN and also Easy VPN at one of the vpn ends.
I have deployed easy VPN without p2p VPN and the other way round.
Please advise
October 20th, 2008 at 6:41 pm
bibo4shizo,
Yes, it is possible. Take a look at this link.
http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/vpnezvpn.html
Josh
October 20th, 2008 at 9:18 pm
thanks a lot josh,let me go through the document I have gotten from the link.You know I’m struggling with too many technologies these days,rushing from VoIP to GSM/GPRS.I guess I will be relying on you guys for some help.
October 24th, 2008 at 7:29 am
I’m now 3 weeks total into my Cisco experience and I have to say this page was a godsend. No one I’ve talked to (CCNAs and CCIEs included) knew about applying a route-map to a static NAT like this. Solved a brain scrambling problem I’ve been having.
Thanks!
March 12th, 2009 at 8:15 am
Dear all..
as you all know that there is probelm when you configure IPsec and NAT on same router..
The soloution is shown in the video
for this cisco have a sloution like configuring a route-map putting some access lists in it to bypass vpn traffic from nat operation..
This solution for me is working in case when there is nat overload (PAT) and for static nat .. but it is not working for Dynamic nat where we also have a list of ip address to be translated with .. which we define in ip nat pool statement..
can any one give me some sollution for this…
i hope you understand what i mean..
if you need some details what i am talking about please read the link
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
even this example is giving such a solution for PAT and Static nat but not for dynamic nat..
i believe i can get a solution from you..
Regards,
Ahmed Ali
March 12th, 2009 at 8:17 am
the command i am using here is..
ip nat inside soure route-map NAT-POLICY pool IP-POOL.
March 13th, 2009 at 7:30 am
Helo. I have IOS 12.2(13), and on my device the command ip nat source route-map POLICY-NAT interface s0/0 overload won’t work.
After ip nat I can only use inside, outside, pool, etc as parameters but not source. Thanks in advance.
May 27th, 2009 at 8:22 am
Hi Josh,
thank you very much for the useful video.
But what if you need translate (PAT) some public port to the inside one?
ip nat inside source static tcp 192.168.10.2 3389 interface fastEthernet4 23389 route-map nonat
% Invalid input detected at ‘^’ marker.
OS 12.4(T4) CISCO 877
Regards,
Dmitry
May 27th, 2009 at 8:27 am
Forgot to stress that marker points to the route-map command.
June 29th, 2009 at 7:36 am
HI
is it posible to configure NAT for trafic intended for the IPSEC tunnel…
I want to hide my inside ip but route trafik inside an IPSEC tunnel over the internet.
The reciver must only see 1 IP from my nat pool