cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
404
Views
0
Helpful
3
Replies

l2l VPN with NAT on Router

d.eberwein
Level 1
Level 1

Hello together,

i have a problem with my VPN.

I have an 1811 Router and on the other side, there is an concentrator(customer).

I want to NAT the inside hosts to one public IP befor the tunnel.

i have attached the config.please have a look at the config and answer me, if the config works or if i have a problem.

Thanks a lot.

3 Replies 3

mattiaseriksson
Level 3
Level 3

Hi there, it looks ok except that you will most likely have a NAT problem.

You will probably end up NAT:ing all traffic, not only traffic to 10.10.0.0/16.

In order to NAT based on destination addresses you should use route maps like this. From the top of my head:

access-list 108 permit ip any 10.10.0.0 0.0.255.255

route-map NAT-DST permit 10

match ip address 108

ip nat inside source route-map NAT-DST pool NATPOOL overload

Something like that

timkaye
Level 1
Level 1

Hi there.

You have created crypto map called Tunnel, yet applied Tunnelhp

!

interface FastEthernet0

no crypto map TUNNELHP

crypto map TUNNEL

I'd also like more clarification on the first reply.

Tim

@timkaye@empired:

Yes, the names are wrong, I forgot to mention that in my post.

What I tried to explain was that when you do destination-based NAT you should use route-maps, because it will always create an extended translation entry.

That will ensure that the packet will only get NAT'd if it matches the route-map statement, even if there is already a NAT entry for the same local IP address.

NAT with an extended ACL will work in most situations, but it could fail as it sometimes creates only a simple translation entry.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: