[c-nsp] VPN/VRF/NAT problem
Benjamin Lovell
belovell at cisco.com
Fri Jul 9 15:51:17 EDT 2010
Not completely sure I am clear on the config you are using but if the vpn tunnel is a crypto-map on a physical interface then that interface needs to be ip nat inside or if doing GREoIPSEC then the GRE tunnel interface needs to be ip nat inside.
NAT will only consider packets for translation if they cross both a nat inside and outside interface.
-Ben
On Jul 9, 2010, at 12:39 PM, Ronan Mullally wrote:
> I've got a VPN setup something like:
>
>
> Remote site --- Third Party Network --- Cisco 2811 --- Internet
> | | |
> |<----------- VPN ----------->| VRF X |
> ^
> 10.x.y.z NAT to a.b.c.d
>
> The remote site is accessing a private network on the 2811 in VRF X.
> It's doing so using an IPSEC tunnel across the Internet via an untrusted
> third party network. All IP traffic leaving the remote site is pushed
> through the IPSEC tunnel and emerges in VRF X. Everything works as
> expected, except...
>
> Traffic egressing VRF X onto the Internet is not getting NATed. It's
> emerging with a 10.x.y.z address. We have other links in this VRF
> delivered via VPDN which do not have this problem. Their traffic is NATed
> correctly.
>
> The external interface on the 2811 is configured with 'ip nat outside'.
> The VPDN interfaces have 'ip nat inside'. I suspect the issue is arising
> as the traffic emerging from the VPN tunnel is not being considered for
> NAT.
>
> I'm NATing with:
>
> ip nat pool cust-X a.b.c.d a.b.c.d netmask 255.255.255.128
> ip nat inside source list cust-X pool cust-X mapping-id 10 vrf X overload
>
> Am I missing something? Is there some way for me to tell the 2811 that
> traffic coming out of the tunnel is on the inside? (might match-in-vrf
> help?)
>
> Thanks in advance,
>
>
> -Ronan
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list