l2l VPN with NAT on Router

Unanswered Question

Hello together,

i have a problem with my VPN.

I have an 1811 Router and on the other side, there is an concentrator(customer).

I want to NAT the inside hosts to one public IP befor the tunnel.

i have attached the config.please have a look at the config and answer me, if the config works or if i have a problem.

Thanks a lot.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Thu, 07/12/2007 - 14:05

Hi there, it looks ok except that you will most likely have a NAT problem.

You will probably end up NAT:ing all traffic, not only traffic to 10.10.0.0/16.

In order to NAT based on destination addresses you should use route maps like this. From the top of my head:

access-list 108 permit ip any 10.10.0.0 0.0.255.255

route-map NAT-DST permit 10

match ip address 108

ip nat inside source route-map NAT-DST pool NATPOOL overload

Something like that

mattiaseriksson Fri, 07/13/2007 - 02:02

@[email protected]:

Yes, the names are wrong, I forgot to mention that in my post.

What I tried to explain was that when you do destination-based NAT you should use route-maps, because it will always create an extended translation entry.

That will ensure that the packet will only get NAT'd if it matches the route-map statement, even if there is already a NAT entry for the same local IP address.

NAT with an extended ACL will work in most situations, but it could fail as it sometimes creates only a simple translation entry.

Actions

This Discussion