07-05-2007 09:59 PM - edited 03-03-2019 05:44 PM
Hi,
We enable the VPN and NAT on the same route. we would like following:
1. 192.168.16.0/24 can NAT to outside internet (using x.x.x.x overload)
2. 192.168.16.0/24 can access 192.168.32.0/24 to TW office via VPN
detail please refer the config file. The VPN is working if we use extend ping
we find that 192.168.16.0/24 always goes to Gi 0/0 if we access 192.168.32.0/32 network. Anything missing in my config? please advise.
Best regards
---
!
!
crypto map mymap 101 ipsec-isakmp
description VPN to TW office
set peer 201.x.x.x
set transform-set myset
match address 101
!
interface GigabitEthernet0/0
ip nat outside
crypto map mymap
!
interface GigabitEthernet0/2
ip address 192.168.16.1 255.255.255.0
ip nat inside
!
ip nat pool NAT x.x.x.x x.x.x.x netmask 255.255.255.224
ip nat inside source route-map nonat pool NAT overload
access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.16.0 0.255.255.255
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.32.0 0.0.0.255
route-map nonat permit 10
match ip address 100
07-05-2007 10:20 PM
This is abosultely fine. You have only one link and you are setting up VPN over the internet to TW office. Any traffic which will leave for the internet or VPN will always for Via Gig 0/0 as that is the your outside facing link.
If you have any other link on the router then you can use PBR to have internet traffic go via one link and the VPN traffic go via another link.
HTH,Please rate if it does.
-amit singh
07-06-2007 06:53 AM
Hi, there is one Internet link (gi ethernet)
We would like:
A. 192.168.16.0 --> 192.168.32.0 --> gi ether ----> VPN
B. 192.168.16.0 --> www.yahoo.com ---> gi eth -----> internet
currently, "A" is not working, It seems that it goes "B" no matter what destionation IP address.
any advise?
07-06-2007 07:07 AM
What I can get from the above post is that you are able to go to the internet but unable to connect to the TW office, is that correct?
If yes, What does the output " show crypto isakmp sa " tells you on routers both your end and TW end. It seems that your VPN is not working to the TW site. Please paste the output of " Show crypto map " as well.
HTH,
-amit singh
07-06-2007 08:18 AM
Hi,
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
140 x.x.x.x y.y.y.y ACTIVE des md5 psk 1 23:48:23
Connection-id:Engine-id = 140:1(software)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: