Manta
Premium
join:2003-11-04
UK
| static mappings with overloaded NAT and VPN
A slight role reversal here in that this is an answer to a problem for a change.
I posted a question some time back on a similar topic (sorry, can't provide a link because I can't search more than 90 days ago). The problem is basically this:
Two 837 routers connected to adsl lines. R1 is at Site1 and R2 at Site2. Both have a single fixed IP addresses and run an ISAKMP/IPSEC tunnel between them to route the LAN traffic between sites. This works fine but the problem is that when a static NAT entry is put in so that, for example, Remote Desktop is available from the internet to a particular PC at Site1 then it stops access to any Remote Desktop from Site2.
The answer that was given to me was to use policy routing so that traffic destined for the other site hops round NAT using a rather sneaky loop-hole. I've since got forced to actually do something about the situation as it became more of a problem than it was before. The solution I implemented was this.
Change the IPSEC tunnel so that it only carries traffic from the loopback interface of R1 to the loopback interface of R2. Then run a GRE tunnel over that IPSEC tunnel and route and site to site traffic via Tunnel0.
Site1: 10.0.0.0/24 GW: 10.0.0.254
Site2: 10.1.0.0/24 GW: 10.1.0.1
I've now got no issues with NAT requirements conflicting and it works fine.
Hope this is of help to some of you.
Gareth |
|
Covenant
Premium,MVM
join:2003-07-01
England
| Hi Manta  ,
IIRC, was it using the jumping NAT fence config, i.e bypassing it by sending it to an address that is similar to the loopback but not quite it, and then from there on out through the default-gateway as there was no match.
Well glad you found a workaround that suits your needs better.  Can you please create an FAQ/post your config as an example configuration for what you found out as well as the issues you encountered with the previous workaround.
Thanks for letting us know too.
--
If only my employers can see how much effort I put into the Cisco forum. They would then understand why I sleep at my desk.  |
|
Manta
Premium
join:2003-11-04
UK
| reply to Manta
Hmmm, odd. I did actually attach my config to that post but it's vanished. It's attached here anyway.
It was the NAT fence jumping config I was on about. To be honest I didn't get around to trying it since I wasn't too keen on the way it worked. It may sound picky but it didn't seem like the way it should be done; rather one in which it could be done if desperate. Maybe I'm just awkward.
Not sure how to create a FAQ (am only a free member) but config's attached and I've currently got a UK wide WAN running GRE over IPSEC because it got round the problem of needing to fully mesh IPSEC tunnels. Can post more details if anyone's interested (ie when I'm not parked badly parked and hoping the traffic wardens don't show up  )
Gareth |
|
Covenant
Premium,MVM
join:2003-07-01
England
| If you found a better workaround for your issue, then by all means implement it.
Even as a free member, you may create an FAQ, by clicking on the forum menu options on top of the threads. Just scroll down until you see "Submit a FAQ" and thats it.
I have taken the liberty of creating one for you:
»Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations
Left it mostly as it is.
No comment on your use/abuse (delete as you see fit) of Wifi in the car... or are you using GPRS? Lets leave it at that shall we.
--
If only my employers can see how much effort I put into the Cisco forum. They would then understand why I sleep at my desk. |
|
