nat and tunnel

Unanswered Question
Jun 30th, 2007
User Badges:

Hi,


We would like to config following:


1. setup tunnel in between R1 and R2

2. R1 is "ip nat inside" and R2 is "ip nat oustde"

3. I would like all users to access "66.x.x.2" this server, it must go to tunnel and through R2, R3 to outside internet to 66.x.x.2


following is the config. however, it does not work. what is missing? detail please refer attached file. please advice


Best regards


---- config


R1

!

interface Tunnel 1

ip address 172.16.1.1 255.255.255.252

ip nat inside

tunnel source 192.168.1.1

tunnel destination 192.168.10.1

!

ip route 66.x.x.2 255.255.255.255 172.16.0.2

!

--------

R2

!

interface FastEthernet0

ip address 64.x.x.1 255.255.255.240

ip nat outside

crypto map mymap ! had already had vpn

!

interface FastEthernet1

ip address 192.168.10.1 255.255.255.0

ip nat inside

!

interface Tunnel 1

ip address 172.16.1.2 255.255.255.252

ip nat outside

tunnel source 192.168.10.1

tunnel destination 192.168.1.1

!

ip nat pool test 64.1.1.1 64.1.1.1 netmask 255.255.255.240

ip nat inside source list 10 pool test overload

!

ip nat inside source list 20 interface tunnel 1 overload

!

access-list 20 permit 172.16.1.0 0.0.0.255

access-list 10 permit 192.168.10.0 0.0.0.255



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
paolo bevilacqua Sat, 06/30/2007 - 05:46
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hello,


in practice R2 will do nat for users behind R1 as well, but only when R2 routes to R1 over tunnle, based on destination. Then:


- no "ip nat" statements on R1 are necessary.

- add "access-list 10 permit 192.168.1.0 0.0.0.255" to R2

- tunnel 1 should be NAT inside, not outside.

- remove "ip nat inside source list 20 interface tunnel 1 overload"

- use static routes or routing protocol

- all this assumes that you have already connectivity between 192.168.1 and .10 by some means not specified in the diagram.


between R1, R2 and R2 so that each one knows how to reach connected networks and you can ping from/to everywhere.


That should do it.


Hope this helps, please rate post if it does!

leungcm Sun, 07/01/2007 - 08:22
User Badges:

Hi,


Thank you very much. It is working.


Best regards


paolo bevilacqua Sun, 07/01/2007 - 15:43
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Good job, considering that my post even got messed up by cut and paste editing.

Thanks for the nice rating and good luck!

Actions

This Discussion