IPSEC L2L Tunnel and Static NAT

There is one tricky issue of IPSEC L2L Tunnel and Static NAT on cisco Router, even the one with IOS v15 (not sure why Cisco can not fix it out of box): if you have site2site vpn and one side running a static NAT mapping to internal host (such as web server). It should just work if the internal web server is accessed via public natted IP address from Internet but the natting router will do tricky thing of the return traffic if it is accessed via private IP through tunnel as router doesnot know where should the return traffic to be sent, to tunnel or just external interface as of the static NAT.

Here below is an sample of work around.
Drawing1

NOTE: There are no “special” configuration of RouterA and IPSEC L2L tunnel. Like the diagram shows, host 192.168.5.10 behind RouterB is running a surveillance camera page which can be accessed on port 80. We would need employee to access the surveillance camera via private IP directly or through VPN tunnel while in office and via public IP while out of office.

Create ACL to match the NAT traffic:
RouterB(config)# ip access-list ext nat-traffic-acl deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
RouterB(config)# ip access-list ext nat-traffic-acl permit ip 192.168.5.0 0.0.0.255 any

Create route-map for dynamic/overloaded NAT:
RouterB(config)# route-map NAT_TRAFFIC permit 1
RouterB(config-route-map)# match ip address nat-traffic-acl

Create dynamic and static NAT:
RouterB(config)# ip nat inside source route-map NAT_TRAFFIC interface GigabitEthernet0/0 overload
RouterB(config)# ip nat inside source static tcp 192.168.5.10 80 1.2.3.4 8000 route-map NO-STATIC-NAT extendable

NOTE: You can not map port 80 for translation if http is enabled on router for management.

Create ACL for traffic should NOT be NATed:
RouterB(config)# ip access-list ext no-static-nat-acl deny ip host 192.168.5.10 192.168.1.0 0.0.0.255
RouterB(config)# ip access-list ext no-static-nat-acl permit ip 192.168.5.0 0.0.0.255 any

Create route-map to by-pass the static nat:
RouterB(config)# route-map NO-STATIC-NAT permit 1
RouterB(config-route-map)# match ip address no-static-nat-acl

So the surveillance camera page can be accessed via “http://192.168.5.10” internally OR “http:1.2.3.4:8000” externally.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s