Here you are very typical architecture. Local Internet access and site to site VPN at the same router – easy case. To deploy this kind of configuration almost always we have to engage IPSec VPN and NAT at one platform. What does NAT imply for IPSec – let’s answer this question.

First we have to take a look at Cisco IOS order of operations. NAT is before encryption, what is means that traffic that needs to be encrypted will be first NATed then encypted. Mostly our crypto ACL that defines interesting traffic for encyption matches our source inside LAN subnet and remote end subnet IP. Once we add default NAT configuration, IPSec will not work properly. Traffic will never match crypto ACL because first will be translated and source IP will change (depends on NAT configuration) to outside interface IP or to dynamic IP defined in NAT pool.

To resolve this issue we have to exclude traffic that needs to be encrypted from NAT translation. Here you are quick configuration example how to proceed.

Assumptions:

Traffic from subnet 10.0.1.0/24 to 10.0.3.0/24 needs to be encrypted. Remaining traffic from 10.0.1.0/24 to Internet needs to be translated to outside interface IP.

Solution:

Define two ACLs. First needs to match VPN traffic (you can leverage of course crypto ACL that is already used by IPSec crypto map), second will define NAT traffic. Then create route map with two statements, in first statement we have to use deny key word and match crypto ACL, second permit statement will match NAT ACL. Route map has to be assigned under to ip nat inside configuration that describes traffic that will be translated. That’s all. Here you are how it looks like from configuration perspective.

ip access-list extended NAT
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended VPN
permit ip 10.0.1.0 0.0.0.255 10.0.3.0 0.0.0.255
!
route-map NAT deny 10
match ip address VPN
!
route-map NAT permit 20
match ip address NAT
!
ip nat inside source route-map NAT interface FastEthernet0/0 overload
!
interface FastEthernet0/0
ip nat outside
crypto map MAPA

, ,

I can bet that you say that to configure NAT/PAT, ip nat inside and ip nat outside commands are always needed. I will show you example where we can translate IPs just with ip nat outside.

Specific exception is traffic generated from the router itself. Let’s play with NAT, configure PAT with simple ACL and compare difference for traffic generated from host that resides behind the router and for traffic from the router itself.

I would to translate all traffic from LAN network to Internet and will use fa0/0 interface IP. Instead use specific subnet IP I’m going to configure any/any in ACL (this will make me in trouble ;)). I just configure ip nat outside command under fa0/0 interface that simulates internet subnet.

Here you are my base config. R1 and R2 are connected directly via fa0/0 interfaces.

interface FastEthernet0/0
ip address 10.0.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.210 255.255.255.0
duplex auto
speed auto
!
ip access-list extended NAT
permit ip any any
!
ip nat inside source list NAT interface FastEthernet0/0 overload

Let’s first generate telnet traffic from the host.
R2#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
66 vty 0 idle 00:00:15 192.168.1.105

As you see user has been connected from 192.168.1.105.

R1#sh ip nat translations
R1#

At R1 no translation appear, so NAT does not work and user’s telnet traffic has been simply routed with translation. To resolve this problem ip nat inside under int fa0/1 needs to be added.
Before we add it let’s generate test traffic from router itself.

R1#telnet 10.0.12.2 /source-interface fa0/1
Trying 10.0.12.2 ... Open
User Access Verification
Password:

R2#sh users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
67 vty 1 idle 00:00:34 10.0.12.1

NAT is working fine without ip nat inside even if we generated traffic with source fa0/1, telnet traffic has been translated to fa0/0 10.0.12.1.

R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 10.0.12.1:28276 192.168.1.210:28276 10.0.12.2:23 10.0.12.2:23

Translation has been added.
What about traffic generated from the router itself. Let’s ping R2.

R1#ping 10.0.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/30/80 ms
R1#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 10.0.12.1:1 10.0.12.1:1 10.0.12.1:1 10.0.12.1:1

R1 has translated own generated traffic. This test show us one important issue that can influence traffic from and to router. Because NAT is enabled on outside interface via ip nat outside command router verifies NAT policy, traffic matches ACL and source IP is translated to fa0/0 interface IP. For traffic passing thru the router for example from the host behind the router ip nat inside and ip nat outside commands are required to properly NAT traffic. Because NAT works also for traffic generated from the router itself even if we have just ip nat outside configured under outside interface traffic from the router will be translated. Important thing is to properly define source and/or destination traffic in ACL otherwise all traffic that match ACL will be nated. Improper ACL configuration can break our management traffic and thus we lose access to our box.
For example. I have configured simple PAT but didn’t add ip nat outside yet to fa0/0. I was able to established telnet session to the router. Once I added ip nat outside router started translate source TCP port due to PAT configured so port TCP 23 has been translated to TCP 3. Then TCP stack on PC from where I’m trying connect will drop these packets because they are not related to this session (wrong source port). If you would like to establish new telnet session to R1 from R2 you will get the same issue, R2 will sent SYN/ACK to reponse for SYN packet but source port 23 will be translated to different one, R2 will replay via RST packet because of wrong source port. Hope it was interesting post for you.

,

In simplified way Network Address Translation (NAT) allow us to translate source or/and destination address of IP packet. There is few reasons to do it like managment purpose, security or IP address savings. NAT is one of technology that with success delays IPv6 world wide deployment. First of all let’s explain NAT wording that at first sight looks slightly confused. Below simple diagram will help us to understand the concept.

  • Inside local IP is how inside address is seen localy by inside hosts, so from the our LAN perspective it’s real IP of our PC. 
  • Inside global IP is how inside address is seen globaly by outside hosts, so from the outside hosts in Internet it’s translated (NATed) IP of our host. 
  • Outside local IP is how outside address is seen localy by inside hosts, so from the LAB perspective it’s translated (NATed) IP of host that resides out of our network like in Internet. Hosts in LAN will use it as destination IP address.
  • Outside global IP is how outside address is seen globaly by outside hosts, so from the our LAN perspective it’s real IP address of host that resides out of our network.

Inside translation type is frequently used in today’s networks. In case we have 10000 hosts in our LAN and would allow them to connect to the Internet resource then we need provide external public IP address for each internal hosts. So big range of public IP addresses expensive but sometimes even not be available for not service provider company. NAT is a solution in this example. We can simple translate all inside IP addresses to 1 public IP using Port Address Translation (PAT) NAT feature. The first question that comes to the mind is how the router will be able to distinguish the packets once they back from the Internet. PAT simply translate the IPs to one outside IP but additionaly translates the layer 4 source ports. Router initially simple rewrites the TCP or UDP source port changing just a source IP but in case another host intimates session with the same layer 4 source then router will take first free port. Based on this easy mechanism router is able to create around 64511 session for one public IP (we have 65535 ports where first 1024 are reserved). The second example of inside NAT is static one-2-one translation. Inside NAT allows us to hide the server real IP address (frequently used private IP range) and put it under public IP in the Internet as service for public use. Thanks to this we can hide our network infrastructure and additionaly again save our public IP range because all of our public services can be hosted under one IP.
The outside NAT translation changing destination IP address. It’s usful when our company has business connection to third party and they are using IP address that is already used in our network somewhere.

Let’s take a first example and try to configure inside and outside static NAT translation based on the below diagram.

First inside so source IP (from the LAN perspective) translation.
R2(config)#ip nat inside source static ?
A.B.C.D Inside local IP address
esp IPsec-ESP (Tunnel mode) support
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol
R2(config)#ip nat inside source static 10.0.12.1 ?
A.B.C.D Inside global IP address
interface Specify interface for global address
R2(config)#ip nat inside source static 10.0.12.1 132.0.1.100

Inside done. All traffic from the PC with IP 10.0.12.1 will be NATed to the 132.0.1.100.
Next let’s define the server IP address (192.168.1.7) that will be used by local PC as destination IP.

R2(config)#ip nat outside source static ?
A.B.C.D Outside global IP address
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol
R2(config)#ip nat outside source static 200.1.2.3 ?
A.B.C.D Outside local IP address
R2(config)#ip nat inside source static 10.0.12.1 132.0.1.100

We have to define the inside and outside interface.
R2(config)#int fa0/1
R2(config-if)#ip nat outside
R2(config-if)#int fa0/0
R2(config-if)#ip nat inside
R2(config-if)#no ip route-cache
R2#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 192.168.1.7 200.1.2.3
--- 132.0.1.100 10.0.12.1 --- ---

OK all done. Two static one2one translation have been added to the NAT table. It’s worth to mention here that this type of entry is kinf of reversible translation type – it’s possible to initiate connection from inside or from outside. In case of dynamic NAT it’s impossible to initiate connection from outside unless dynamic NAT with route-map and reversible option at the end is used.

Let’s run the debug IP packet and initiate test traffic doing telnet to outside local IP address – 192.168.1.7 from the PC.

R2#debug ip packet detail
IP packet debugging is on (detailed)
*Mar 1 02:32:44.819: IP: s=10.0.12.1 (FastEthernet0/0), d=192.168.1.7, len 44, unroutable
*Mar 1 02:32:44.823: TCP src=35649, dst=23, seq=391750710, ack=0, win=4128 SYN
*Mar 1 02:32:44.827: IP: tableid=0, s=10.0.12.2 (local), d=10.0.12.1 (FastEthernet0/0), routed via FIB
*Mar 1 02:32:44.831: IP: s=10.0.12.2 (local), d=10.0.12.1 (FastEthernet0/0), len 56, sending
*Mar 1 02:32:44.835: ICMP type=3, code=1

Hmm 192.168.1.7 is unroutable, does it mean that router first take routing decision before translation.
Here you are short list of Cisco IOS order of operation: 

  1. If IPsec, then check input access list
  2. Decryption—for Cisco Encryption Technology (CET) or IPsec
  3. Check input access list
  4. Check input rate limits
  5. Input accounting
  6. Policy routing
  7. Routing
  8. Redirect to Web cache
  9. NAT
  10. Crypto (check map and mark for encryption)
  11. Check output access list
  12. Inspect context-based access control (CBAC)
  13. TCP intercept
  14. Encryption
  15. Queueing

OK let’s add routing to the 192.168.1.7 and see what happens.
R2#*Mar 1 03:23:34.311: IP: tableid=0, s=10.0.12.1 (FastEthernet0/0), d=192.168.1.7 (FastEthernet0/1), routed via FIB ---Routing over Fa0/1
*Mar 1 03:23:34.315: NAT: s=10.0.12.1->132.0.1.100, d=192.168.1.7 [318] --- source NAT
*Mar 1 03:23:34.319: NAT: s=132.0.1.100, d=192.168.1.7->200.1.2.3 [318] --- destination NAT
*Mar 1 03:23:34.323: IP: s=132.0.1.100 (FastEthernet0/0), d=200.1.2.3 (FastEthernet0/1), g=10.0.23.3, len 44, forward
*Mar 1 03:23:34.327: TCP src=31740, dst=23, seq=1913933555, ack=0, win=4128 SYN

R2#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.1.7        200.1.2.3
tcp 132.0.1.100:31740  10.0.12.1:31740    192.168.1.7:23     200.1.2.3:23
--- 132.0.1.100        10.0.12.1          ---                ---

Connection initiated successfully. First SYN packet is routed and will be push out over Fa0/1 (red), next inside (source) and outside (destination) NAT is taking place. TCP source and destination ports 31740 and 23 respectively have been written in NAT translation table. Enjoy the NAT.