NAT and VPN

Unanswered Question
Jul 5th, 2007

Hi,

We enable the VPN and NAT on the same route. we would like following:

1. 192.168.16.0/24 can NAT to outside internet (using x.x.x.x overload)

2. 192.168.16.0/24 can access 192.168.32.0/24 to TW office via VPN

detail please refer the config file. The VPN is working if we use extend ping

we find that 192.168.16.0/24 always goes to Gi 0/0 if we access 192.168.32.0/32 network. Anything missing in my config? please advise.

Best regards

---

!

!

crypto map mymap 101 ipsec-isakmp

description VPN to TW office

set peer 201.x.x.x

set transform-set myset

match address 101

!

interface GigabitEthernet0/0

ip nat outside

crypto map mymap

!

interface GigabitEthernet0/2

ip address 192.168.16.1 255.255.255.0

ip nat inside

!

ip nat pool NAT x.x.x.x x.x.x.x netmask 255.255.255.224

ip nat inside source route-map nonat pool NAT overload

access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.16.0 0.255.255.255

access-list 100 permit ip 192.168.16.0 0.0.0.255 any

access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.32.0 0.0.0.255

route-map nonat permit 10

match ip address 100

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amit Singh Thu, 07/05/2007 - 22:20

This is abosultely fine. You have only one link and you are setting up VPN over the internet to TW office. Any traffic which will leave for the internet or VPN will always for Via Gig 0/0 as that is the your outside facing link.

If you have any other link on the router then you can use PBR to have internet traffic go via one link and the VPN traffic go via another link.

HTH,Please rate if it does.

-amit singh

leungcm Fri, 07/06/2007 - 06:53

Hi, there is one Internet link (gi ethernet)

We would like:

A. 192.168.16.0 --> 192.168.32.0 --> gi ether ----> VPN

B. 192.168.16.0 --> www.yahoo.com ---> gi eth -----> internet

currently, "A" is not working, It seems that it goes "B" no matter what destionation IP address.

any advise?

Amit Singh Fri, 07/06/2007 - 07:07

What I can get from the above post is that you are able to go to the internet but unable to connect to the TW office, is that correct?

If yes, What does the output " show crypto isakmp sa " tells you on routers both your end and TW end. It seems that your VPN is not working to the TW site. Please paste the output of " Show crypto map " as well.

HTH,

-amit singh

leungcm Fri, 07/06/2007 - 08:18

Hi,

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

140 x.x.x.x y.y.y.y ACTIVE des md5 psk 1 23:48:23

Connection-id:Engine-id = 140:1(software)

Actions

This Discussion