NAT and VPN

Unanswered Question
Jul 5th, 2007
User Badges:

Hi,


We enable the VPN and NAT on the same route. we would like following:


1. 192.168.16.0/24 can NAT to outside internet (using x.x.x.x overload)

2. 192.168.16.0/24 can access 192.168.32.0/24 to TW office via VPN


detail please refer the config file. The VPN is working if we use extend ping


we find that 192.168.16.0/24 always goes to Gi 0/0 if we access 192.168.32.0/32 network. Anything missing in my config? please advise.


Best regards


---

!

!

crypto map mymap 101 ipsec-isakmp

description VPN to TW office

set peer 201.x.x.x

set transform-set myset

match address 101

!


interface GigabitEthernet0/0

ip nat outside

crypto map mymap


!

interface GigabitEthernet0/2

ip address 192.168.16.1 255.255.255.0

ip nat inside

!

ip nat pool NAT x.x.x.x x.x.x.x netmask 255.255.255.224

ip nat inside source route-map nonat pool NAT overload


access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.16.0 0.255.255.255

access-list 100 permit ip 192.168.16.0 0.0.0.255 any


access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.32.0 0.0.0.255



route-map nonat permit 10

match ip address 100






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amit Singh Thu, 07/05/2007 - 22:20
User Badges:
  • Cisco Employee,

This is abosultely fine. You have only one link and you are setting up VPN over the internet to TW office. Any traffic which will leave for the internet or VPN will always for Via Gig 0/0 as that is the your outside facing link.


If you have any other link on the router then you can use PBR to have internet traffic go via one link and the VPN traffic go via another link.


HTH,Please rate if it does.


-amit singh

leungcm Fri, 07/06/2007 - 06:53
User Badges:

Hi, there is one Internet link (gi ethernet)


We would like:


A. 192.168.16.0 --> 192.168.32.0 --> gi ether ----> VPN


B. 192.168.16.0 --> www.yahoo.com ---> gi eth -----> internet


currently, "A" is not working, It seems that it goes "B" no matter what destionation IP address.


any advise?


Amit Singh Fri, 07/06/2007 - 07:07
User Badges:
  • Cisco Employee,

What I can get from the above post is that you are able to go to the internet but unable to connect to the TW office, is that correct?


If yes, What does the output " show crypto isakmp sa " tells you on routers both your end and TW end. It seems that your VPN is not working to the TW site. Please paste the output of " Show crypto map " as well.


HTH,

-amit singh

leungcm Fri, 07/06/2007 - 08:18
User Badges:

Hi,


Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption


C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

140 x.x.x.x y.y.y.y ACTIVE des md5 psk 1 23:48:23

Connection-id:Engine-id = 140:1(software)


Actions

This Discussion