Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
0
Helpful
1
Replies

VPN and NAT on 871

richard-o
Level 1
Level 1

‎07-19-2007 10:43 PM

Hello,

I'm having issues establishing a VPN on a 871 through a NAT.

The 871 goes through an ISP to another router across the internet. It has 4 VLANs configured, and the goal is to VPN one to a network through the internet. Obviously being the internet, the private addresses are all running through a nat on fa 4 (the WAN port on the 871)

In a test setup, I can successfully perform NAT, or the VPN but not both at the same time. The NAT seems to take precedence over the crypto map.

I've tried setting this up with both CLI and SDM, but neither way seems to work. Config below with working VPN but NAT turned off.

hostname Router1

!

resource policy

!

no ip source-route

ip cef

!

no ip domain lookup

!

crypto isakmp policy 1

encr des

authentication pre-share

group 1

!

crypto isakmp key testkey address 172.16.0.3

!

crypto ipsec transform-set VPN1 ah-md5-hmac esp-des

!

crypto map VPN 1 ipsec-isakmp

set peer 172.16.0.3

set transform-set VPN1

set pfs group1

match address 103

!

interface FastEthernet0

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN

ip address 172.16.0.254 255.255.255.0

duplex auto

speed auto

crypto map VPN

!

interface Vlan1

description INTERNAL_MGMT

ip address 192.168.1.5 255.255.255.0

!

interface Vlan10

description DATA_AND_VIDEO

ip address 10.31.255.252 255.240.0.0

!

interface Vlan90

description VOIP

ip address 10.32.0.252 255.240.0.0

!

interface Vlan100

description EXT_MGMT

ip address 10.48.0.252 255.240.0.0

!

ip route 0.0.0.0 0.0.0.0 172.16.0.3

!

!

ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

!

logging trap debugging

access-list 103 permit ip 10.48.0.0 0.15.255.255 host 203.0.0.1

!

control-plane

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

exec-timeout 0 0

privilege level 15

logging synchronous

login local

!

Labels:
0 Helpful
1 Reply 1

richard-o
Level 1
Level 1

‎07-19-2007 11:21 PM

I finally coaxed SDM into making it work. Of course it worked, after disabling the desired VPN network from being through NAT.

What are my options with these things?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents