Cisco Router Switch VPN NAT – Static NAT Source and Destination on Router

cisconat;routerswitchvpn

I have been working for the past 3 days to no avail. I have goggled and searched for all matter of solutions but still no success.

My task is to find a way to map an address to another. But, the network it is going in to does not have a default gateway. (Vlan1) (I cannot configure the default gateway on these devices.)

The scenario is that this device is about to be used for VPN site to site access. When the other site is connected it will connect using the ip address we map to it (10.1.1.21). For now its only one server that needs to access. But, in the future it might be two or more.

An idea of how a ping to 10.1.1.21 would work after finished.

Source: -RangeOfIPs- (Lets say 11.22.33.44)
Destination: 10.1.1.21
=> ROUTER NAT =>
Source: 192.168.0.21
Destination: 192.168.0.114 (Internal Server)

On the return the following would happen:

Source: 192.168.0.114 (Internal Server)
Destination: 192.168.0.21
=> ROUTER NAT =>
Source: 10.1.1.21
Destination: -RangeOfIPs- (11.22.33.44)

The Router in use is currently a Cisco 881 and has one WAN port and 4 Switch Ports
The WAN port is connected to the other networks and one of the switch ports is connected to our local network switch.

The roll of Loopback 0 is to create a network that the other side of the VPN site to site will use. They connect to the router via VPN which is to its public IP (1.1.1.36), then, they would connect to the server via 10.1.1.21 to access that resource. That way, we dont need default routes and at the same time control which server they have access too via VPN.

I plan on making the VPN after this is complete and ready, and i am going to use ACLs to prevent the VPN from accessing the 192 network. At least, to my knowledge should be possible.

Here is the configuration that i have to start with.

!
interface Loopback0
 ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet4
 ip address 1.1.1.36 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0
 switchport mode access
!
interface FastEthernet1
 switchport mode access
!
interface FastEthernet2
 switchport mode access
!
interface FastEthernet3
 switchport mode access
!
interface Vlan1
 ip address 192.168.0.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.33 
!

Example Network Topology:
enter image description here
Key:
Grey: Internal Network
Orange: VPN Site to Site (I'll work on this later, I know how to do this part)
Dark Blue: Public Network
1.1.1.X: Represent real public IP addresses.

The right most server:
External IP: 1.1.1.21 / Gateway: 1.1.1.18
Internal IP: 192.168.0.114 / Gateway: None

Best Answer

To test your scenario I set up the following lab:

NAT topology

The 10.0.0.0/24 network is your -RangeOfIPs-

When traffic comes from 10.0.0.0/24 it will be NATed to 192.168.0.21. Traffic sourcing from 192.168.0.114 will be NATed to 10.1.1.21.

Configuration:

R3(config)#int f0/0
R3(config-if)#ip nat outside
R3(config-if)#int f0/1
R3(config-if)#ip nat inside

The above commands define the interfaces as outside and inside.

R3(config)#ip nat inside source static 192.168.0.114 10.1.1.21

This command translates the inside local address of 192.168.0.114 to an inside global address of 10.1.1.21.

R3(config)#access-list 1 permit 10.0.0.0 0.0.0.255

This access-list will define which hosts on the outside that will get NATed.

R3(config)#ip nat pool NAT_POOL 192.168.0.21 192.168.0.21 netmask 255.255.255.0

We create a NAT pool consisting of a single address.

R3(config)#ip nat outside source list 1 pool NAT_POOL add-route

Then we configure so that hosts matching access-list 1 will get NATed to 192.168.0.21.

It is important to configure add-route here or to add a static route because when doing inside to outside NAT, NAT takes place before routing in the order of operations. That means that R3 must have a route for 10.1.1.21.

R3 now has the following NAT table:

R3#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.0.21       10.0.0.1
--- 10.1.1.21          192.168.0.114      ---                ---

Note that R4 has configured with an IP and ip routing turned off to emulate a host. Debugging of ICMP on R1 is enabled and debugging of ip nat on R3 is also enabled.

R1#debug ip icmp
ICMP packet debugging is on

R3#debug ip nat 
IP NAT debugging is on

A ping is then issued from R1:

R1#ping 10.1.1.21 so f0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.21, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/86/104 ms
R1#
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1
ICMP: echo reply rcvd, src 10.1.1.21, dst 10.0.0.1

Debug and NAT table from R3:

NAT*: s=10.0.0.1->192.168.0.21, d=10.1.1.21 [15]
NAT*: s=192.168.0.21, d=10.1.1.21->192.168.0.114 [15
NAT: s=192.168.0.114->10.1.1.21, d=192.168.0.21 [15]
NAT: s=10.1.1.21, d=192.168.0.21->10.0.0.1 [15]

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.0.21       10.0.0.1
icmp 10.1.1.21:3       192.168.0.114:3    192.168.0.21:3     10.0.0.1:3
--- 10.1.1.21          192.168.0.114      ---                ---

I think that this is the kind of configuration you are looking for.

However, note that there is a caveat because there is no overload (PAT) available for outside to inside translation. That means that as soon as one of your hosts communicate with 192.168.0.114, there will be no free IP's in the pool. What you can do is to increase the pool size so that you reserve maybe 10 IP's that are only used for NAT.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Switch – Successful Auto/Auto PAgP Port Channel

As per default, etherchannel is running in "silent" mode. So ethch goes up at the first time, but if you try to disable/enable on side maybe ethch doesn't goes up again.

From CISCO CCO : non-silent —(Optional) If your switch is connected to a partner that is PAgP capable, configure the switch port for nonsilent operation when the port is in the auto or desirable mode. If you do not specify non-silent , silent is assumed. The silent setting is for connections to file servers or packet analyzers. This setting allows PAgP to operate, to attach the port to a channel group, and to use the port for transmission.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Switch – Successful Auto/Auto PAgP Port Channel

Related Topic