l2l VPN with NAT on Router

d.eberwein · ‎07-12-2007

Hello together,

i have a problem with my VPN.

I have an 1811 Router and on the other side, there is an concentrator(customer).

I want to NAT the inside hosts to one public IP befor the tunnel.

i have attached the config.please have a look at the config and answer me, if the config works or if i have a problem.

Thanks a lot.

mattiaseriksson · ‎07-12-2007

Hi there, it looks ok except that you will most likely have a NAT problem.

You will probably end up NAT:ing all traffic, not only traffic to 10.10.0.0/16.

In order to NAT based on destination addresses you should use route maps like this. From the top of my head:

access-list 108 permit ip any 10.10.0.0 0.0.255.255

route-map NAT-DST permit 10

match ip address 108

ip nat inside source route-map NAT-DST pool NATPOOL overload

Something like that

timkaye · ‎07-12-2007

Hi there.

You have created crypto map called Tunnel, yet applied Tunnelhp

!

interface FastEthernet0

no crypto map TUNNELHP

crypto map TUNNEL

I'd also like more clarification on the first reply.

Tim

mattiaseriksson · ‎07-13-2007

@timkaye@empired:

Yes, the names are wrong, I forgot to mention that in my post.

What I tried to explain was that when you do destination-based NAT you should use route-maps, because it will always create an extended translation entry.

That will ensure that the packet will only get NAT'd if it matches the route-map statement, even if there is already a NAT entry for the same local IP address.

NAT with an extended ACL will work in most situations, but it could fail as it sometimes creates only a simple translation entry.