Here’s a good one for you.
Imagine you are offering some sort of service via IPSec to a number of customers back to your private network. But some of your customers have the same private IP on their networks. e.g. Customer A and B both have 10.0.0.0/24 as their source IP. Now this is a bit of a problem. Clearly routing to the same destination (outbound from your network) is going to need some sort of NAT’ing to avoid the overlap.
Surely Cisco have an example of how to resolve this problem? Well if they do I couldn’t find it. If you’re reading this blog after searching for a solution, the chances are you realise how mind boggling this becomes. After about two weeks of boggling my mind this is how I did it:-
Firstly I used two routers back to back. Router A is the Internet facing router creating the IPSec tunnels to the customers (with overlapping IP). Now here is the neat bit. To keep each customer separate, IPSec instances are created in separate VRFs on the router, and within each VRF the incoming source address from the customer is NAT’ed to a different non-overlapping address.
Well this is all very well and good. Now we have each IPSec instance neatly NAT’ed in a VRF per customer, but the problem now is the service you are offering is likely to be in the global routing table. This is where the second router comes in. I opted to create a trunk between the two routers and assign a VRF on each 802.1q subinterface on the first router, and on the second router I simply removed the VRF – in effect joining the VRFs together in the same global routing table.
Below is the config. If you can think of a better way of solving this problem, I’d be interested to hear it.
Router 1 ip cef ! ip vrf vpn1 description Customer: A rd 100:1 route-target export 100:1 route-target import 100:1 ! ip vrf vpn2 description Customer: B rd 101:1 route-target export 101:1 route-target import 101:1 ! crypto keyring vpn1 pre-shared-key address key crypto keyring vpn2 pre-shared-key address key ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 ! crypto isakmp profile vpn1 vrf vpn1 keyring vpn1 match identity address 255.255.255.255 crypto isakmp profile vpn2 vrf vpn2 keyring vpn2 match identity address 255.255.255.255 ! crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac crypto ipsec transform-set vpn2 esp-3des esp-sha-hmac ! crypto map crypmap 1 ipsec-isakmp set peer set transform-set vpn1 set isakmp-profile vpn1 match address remote1-acl crypto map crypmap 2 ipsec-isakmp set peer 2 set transform-set vpn2 set isakmp-profile vpn2 match address remote2-acl ! interface FastEthernet0/0 description Outside WAN interface ip address x.x.x.x 255.255.255.252 no ip redirects no ip proxy-arp ip nat enable load-interval 30 duplex full speed 100 crypto map crypmap ! interface FastEthernet0/1 description Connection to Router2 (fa0/1) no ip address no ip redirects no ip proxy-arp load-interval 30 duplex full speed 100 ! interface FastEthernet0/1.1 description Customer: A encapsulation dot1Q 1 native ip vrf forwarding vpn1 ip address 172.31.255.249 255.255.255.252 ip nat enable ! interface FastEthernet0/1.2 description Customer: B encapsulation dot1Q 2 ip vrf forwarding vpn2 ip address 172.31.255.245 255.255.255.252 ip nat enable ! ip route 0.0.0.0 0.0.0.0 ip route vrf vpn1 0.0.0.0 0.0.0.0 global ip route vrf vpn1 172.31.255.0 255.255.255.0 172.31.255.250 name Router1 ip route vrf vpn2 0.0.0.0 0.0.0.0 global ip route vrf vpn2 172.31.255.0 255.255.255.0 172.31.255.246 name Router1 ! ip http server no ip http secure-server ip nat source static 10.1.1.1 172.22.1.1 vrf vpn1 ip nat source static 10.1.1.1 172.22.2.1 vrf vpn2 ! ip access-list extended remote1-acl permit ip 172.31.255.0 0.0.0.255 10.0.0.0 0.255.255.255 ip access-list extended remote2-acl permit ip 172.31.255.0 0.0.0.255 10.0.0.0 0.255.255.255
Router 2 ip cef ! interface FastEthernet0/0 description Orginating Services Subnet ip address 172.31.255.253 255.255.255.252 no ip redirects no ip proxy-arp load-interval 30 duplex full speed 100 ! interface FastEthernet0/1 description Connection to Router 1 no ip address no ip redirects no ip proxy-arp load-interval 30 duplex full speed 100 ! interface FastEthernet0/1.1 encapsulation dot1Q 1 native ip address 172.31.255.250 255.255.255.252 ! interface FastEthernet0/1.2 encapsulation dot1Q 2 ip address 172.31.255.246 255.255.255.252 ip route 172.22.1.0 255.255.255.0 172.31.255.249 name Customer A ip route 172.22.2.0 255.255.255.0 172.31.255.245 name Customer B
The Traceroute Blog 