VPN NAT Question

Unanswered Question
Feb 5th, 2007


My ADSL Router creates VPN connections to my remote sites. This VPN works fine. but I need give the one network(behind the ADSL) access to servers on another network.

Basically, the VPN connections is created to my VPN Router. The router then allows 172.18.44.x to talk to anything on advertised on my network. I need to get the above network connected to a network on 172.20.32.x range.

How would I do that? Is this an access list issue or do I look at the VPN Router?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Mon, 02/05/2007 - 04:47


It's little unclear what you are trying to achieve. If you merely want to add another network to an existing VPN setup then you just need to modify the crypto map access-lists at both ends of the VPN.

If i have misunderstood please explain further



bradlesliect Mon, 02/05/2007 - 04:57

its a bit difficult to explain. I have a VPN setup for my network and the entry points are at 2 different sites. Connections into the VPN is fine. Users are able to browse network resources as if they were on my network.

I now need to connect a user from one network made via VPN into mine to another network made via VPN to mine.

What configs can I give you?

bradlesliect Tue, 02/06/2007 - 10:38

How and where would I configure split tunneling. Could that perhaps fix this problem?

I think what's happening here is that the VPN connection is using the default gateway of the remote network?

Am I right in saying that?

Jon Marshall Tue, 02/06/2007 - 11:16


I might have misunderstood your requirements. This is what i thought you needed

Site A is your main site.

Site B is a remote site that connects to Site A via a VPN tunnel.

Site C is another remote site that connects to Site A via VPN.

You now need a user at Site B to be able to talk to Site C via Site A. Is this correct ?

Split tunneling is about sending some traffic down the VPN tunnel but other traffic not and is more to do with client VPN's than site to site VPN's.

So when the user at Site B wants to talk to a machine at Site C do you want it to go via your site A through the VPN tunnels. If you do the document i pointed you to should allow you to set this up.

If you need something else please let me know.


bradlesliect Tue, 02/06/2007 - 12:23

In a manner of speaking you are correct.

Site A - My network

Site B - Remote site connecting to Site A via ADSL using VPN Tunnel

Site C - Client network connecting to Site A via diginet line.

The goal here is to get Site B connected to a host on Site C via Site A.

The common thing here is Site A. We have access setup on Site to connect to all sites including site C.

Therefore when the ADSL router makes the VPN tunnel / connection to site A its as if site B is now on Site A's network. Therefore Site B should technically be able to connect to host on Site C .....but it aint working like that .....

Site B users have to create a 2nd VPN connection from their windows workstations and then only are they able to connect to hosts on Site C.

You all still with me? What the problem is?

Jon Marshall Tue, 02/06/2007 - 13:08

Ok Brad i understand the requirement.

Can you clarify whether the clients at Site B are using client VPN's on their laptops or whether the VPN is a site-to-site VPN from the remote router to Site A.

Also if you could post the config of Site A vpn device that would help.


bradlesliect Wed, 02/07/2007 - 03:19

The router(B) creates a site(B)-to-site(A) VPN connection. What I have tried is make a seperate VPN connection from the User PC(Windows Based)and this still did not work. The connection still times out.

When I do a trace to the host(Site C) I am trying to connect to it goes via the Internet and not via the VPN connection to site A.

Is this access list?

Site A is using a Cisco 2650 through which all my VPN connections come in.

you still want the config for Site A?

Jon Marshall Wed, 02/07/2007 - 03:52


if a trace goes via the internet then yes you will need to modify the acccess-lists on your devices.

On site B router you will have to add Site C subnets to the crypto map access-list.

On site C router you will need to add Site B subnets to the crypto map access-list.

On Site A you will need to update both crypto access-lists for both Site B & Site C.



Jon Marshall Wed, 02/07/2007 - 05:05


Sorry, never used SDM. What i'm referring to is that in your config on the routers will be some crypto map entries. Under the crypto map statement there will be a "match address x" statement x being an access-list on your router.

This is the access-list you need to change.


bradlesliect Wed, 02/07/2007 - 05:16

At site A have a 3640 which the VPN connection is made into and I also have a PIX firewall which controls access into my network. From both devices I can ping the Host on Site C. So it means the both devices can get to it.

If do a trace to that host it goes via the the WAN router(Site A) that Site C is connected to. So the routes exist and it doesn't look like I need to send it through my PIX first .....right?

Jon Marshall Wed, 02/07/2007 - 05:27


Is the 3640 router the one that Site C is connected to or is that a different router ?


bradlesliect Wed, 02/07/2007 - 05:50

you probably getting quite angry now ....:(

it's at Site A but its a different router. The VPN connections come via a 2650.

Jon Marshall Wed, 02/07/2007 - 06:35


Nope not getting angry at all, just trying to understand your layout :-)

So Site B VPN goes to Site A 3640.

And site C VPN goes to a 2650 ?

Either way if they are separate routers as long as they can see each other subnets you wouldn't need to go via the Pix. As long as you trust the two sites.

Hope i've understood correctly, if not let me know.


bradlesliect Wed, 02/07/2007 - 11:20

That correct, the 3640 and the 2650 are both at Site A.

2650 - has all the clients connected to it.

3640 - has all the VPN connections.


This Discussion