Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
345
Views
0
Helpful
4
Replies

NAT and VPN

leungcm
Level 1
Level 1

‎07-05-2007 09:59 PM - edited ‎03-03-2019 05:44 PM

Hi,

We enable the VPN and NAT on the same route. we would like following:

1. 192.168.16.0/24 can NAT to outside internet (using x.x.x.x overload)

2. 192.168.16.0/24 can access 192.168.32.0/24 to TW office via VPN

detail please refer the config file. The VPN is working if we use extend ping

we find that 192.168.16.0/24 always goes to Gi 0/0 if we access 192.168.32.0/32 network. Anything missing in my config? please advise.

Best regards

---

!

!

crypto map mymap 101 ipsec-isakmp

description VPN to TW office

set peer 201.x.x.x

set transform-set myset

match address 101

!

interface GigabitEthernet0/0

ip nat outside

crypto map mymap

!

interface GigabitEthernet0/2

ip address 192.168.16.1 255.255.255.0

ip nat inside

!

ip nat pool NAT x.x.x.x x.x.x.x netmask 255.255.255.224

ip nat inside source route-map nonat pool NAT overload

access-list 100 deny ip 192.168.16.0 0.0.0.255 192.168.16.0 0.255.255.255

access-list 100 permit ip 192.168.16.0 0.0.0.255 any

access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.32.0 0.0.0.255

route-map nonat permit 10

match ip address 100

Labels:
0 Helpful
4 Replies 4

Amit Singh
Cisco Employee
Cisco Employee

‎07-05-2007 10:20 PM

This is abosultely fine. You have only one link and you are setting up VPN over the internet to TW office. Any traffic which will leave for the internet or VPN will always for Via Gig 0/0 as that is the your outside facing link.

If you have any other link on the router then you can use PBR to have internet traffic go via one link and the VPN traffic go via another link.

HTH,Please rate if it does.

-amit singh

0 Helpful

leungcm
Level 1
Level 1
In response to Amit Singh

‎07-06-2007 06:53 AM

Hi, there is one Internet link (gi ethernet)

We would like:

A. 192.168.16.0 --> 192.168.32.0 --> gi ether ----> VPN

B. 192.168.16.0 --> www.yahoo.com ---> gi eth -----> internet

currently, "A" is not working, It seems that it goes "B" no matter what destionation IP address.

any advise?

0 Helpful

Amit Singh
Cisco Employee
Cisco Employee
In response to leungcm

‎07-06-2007 07:07 AM

What I can get from the above post is that you are able to go to the internet but unable to connect to the TW office, is that correct?

If yes, What does the output " show crypto isakmp sa " tells you on routers both your end and TW end. It seems that your VPN is not working to the TW site. Please paste the output of " Show crypto map " as well.

HTH,

-amit singh

0 Helpful

leungcm
Level 1
Level 1
In response to Amit Singh

‎07-06-2007 08:18 AM

Hi,

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

140 x.x.x.x y.y.y.y ACTIVE des md5 psk 1 23:48:23

Connection-id:Engine-id = 140:1(software)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card