IPsec Overlaps network with nat overload to internet

stlourenco · December 16, 2016, 1:02am

Hello, Guys…

I have a doubt regarding a scenario that I built in the Unet Lab.

The image I have 2 Sites in a company: the LAN site 1 is 192.168.0.0/24 and the LAN 2 site is 192.168.0.0/16. I can successfully establish a VPN between the two site as evidence:

SITE 1:

SITE 2

The main problem here is that I can’t get out to the internet even with the NAT configuration correct. If I remove the NAT configuration used for the VPN, access to internet works normal, but the VPN crashes. Have any other strategy I can both access the internet as access resources of another site through the VPN?

The router of the two site are attached.

Thank you in advance

site_1_2_config.rar (1.8 KB)

I have new evidence proving that the IPSEC NAT is interfering in the NAT rule of the LAN host left for internet:

I have new evidence proving that the IPSEC NAT is interfering in the NAT rule of the LAN host get out to the internet. Note that when the PC tries to ping the ip address 8.8.8.8 that is configured on the router INTERNET does not get answer and he is not translated to outside (200.150.59.1).

stlourenco · December 18, 2016, 12:25pm

Please, someone please help me?

ReneMolenaar · December 23, 2016, 3:13pm

Hi Stefanio,

Couple of things I noticed:

* You use 192.168.0.0/24 on the left router and 192.168.0.0/16 on the right router. Those are overlapping subnets so that’s something to fix. 192.168.0.0/24 falls within the range of 192.168.0.0/16. Best to use 192.168.1.0/24 on the right side instead, or use something that doesn’t start with 192.168.X.X on the left side.

About your NAT config:

ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source list NONAT interface FastEthernet0/0 overload
ip nat inside source static network 192.168.0.0 172.25.10.0 /24
ip nat outside source static network 192.168.0.0 10.199.0.0 /16

This looks messy You only need one rule with an access-list that denies VPN traffic and permits all other traffic. Something like this:

ip nat inside source list NAT interface FastEthernet0/0 overload

ip access-list extended NAT
 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.255.255
 permit ip any any

This will deny NAT for source traffic from 192.168.0.0/24 (site1) to 192.168.1.0/24 (site2). All other traffic should be translated with NAT.

Hope this helps!

Rene