Configuring NAT over LAN-to-LAN Between Cisco VPN 3000 and IOS Router

Answered Question
Jul 12th, 2007

Hi,

I have the following document about building a LAN2LAN VPN including NAT.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

There?s no problem doing this with the concentrator. Now I have to configure it on IOS Router, and therefor I can?t find any Information. I have to NAT my private network to one official IP which have to be tunneled as my local LAN.

Do anyone have a documentation about this szenario? I can?t find any on the CCO.

Thanks for support

I have this problem too.
0 votes

Hello.

The concentrators are very friendly units (IMHO) for doing VPN's and VPN's with NAT.

You build an acl to defined the traffic over the vpn (110) based on being nat'd

You then create an acl to define whats NAT'd (111) and create a NAT statement accordingly

Below is a sample configuration.

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key vpnsrock!! address x.x.x.x

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address 110

!

interface Fa0

ip nat outside

crypto map VPN

!

!

interface fa1

ip nat inside

!

ip nat inside source list 111 interface fa0 overload

ip route 0.0.0.0 0.0.0.0 y.y.y.y

access-list 110 permit ip fa0-ip wildcard-mask remote-network wildcard-mask

access-list 111 permit ip local-network wildcard-mask remote-network wildcard-mask

!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Correct Answer

Hello.

The concentrators are very friendly units (IMHO) for doing VPN's and VPN's with NAT.

You build an acl to defined the traffic over the vpn (110) based on being nat'd

You then create an acl to define whats NAT'd (111) and create a NAT statement accordingly

Below is a sample configuration.

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key vpnsrock!! address x.x.x.x

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address 110

!

interface Fa0

ip nat outside

crypto map VPN

!

!

interface fa1

ip nat inside

!

ip nat inside source list 111 interface fa0 overload

ip route 0.0.0.0 0.0.0.0 y.y.y.y

access-list 110 permit ip fa0-ip wildcard-mask remote-network wildcard-mask

access-list 111 permit ip local-network wildcard-mask remote-network wildcard-mask

!

Actions

This Discussion