Thanks but I don't have any control over the 1811 config, I will need to email the US that possibility we can NAT our UK traffic, could you just paste the bit I need to change and I will email them it this is all new to me?

Or/also

If they are not prepared to change their config, cold I use my spare 1841 cisco router and put it between the 1811 and out LAN to the inside is our LAN and the outside is the 1811?

Both sides need the NAT config. At the US side, you can NAT 192.168.17.0/24 to 192.168.117.0/24 with the following commands:

At the ingress interface

int f0/0

ip nat inside

At the egress interface

int s0/0

ip nat outside

The nat command

ip nat inside source static network 192.168.17.0 192.168.117.0 /24 no-alias

You will need to do the same in the UK, you can use 192.168.217.0/24

Replace all instances for 192.168.117.0/24 with 192.168.217.0 from the above config.

You need routes (either dynamic or static) pointing to those networks. From the US, you need a route to 192.168.217.0/24 pointing the UK and from the UK you need a route to 192.168.117.0/24 pointing to the US.

Keep in mind, to the US the 17.0 network at the UK is now 192.168.217.0/24 and can not be reference as 192.168.17.0 - same idea lies behind devices being reference from the UK to the US.

HTH,

Andy

I'm still a little unclear what your are trying to do.

If you want to NAT all your internal traffic to 192.168.17.x then please see config from previous post.

What are the networks you need to access in the US ? Whatever the subnets are just add them to the access-list in the previous post.

You will only need to do something different if you need to talk to a machine in the US that has the same IP address as a machine in the UK but so far you haven't said that is a requirement.

Jon

Hi Jon, sorry I could locate my other post via my blackberry.

It really is that simple, we really don't want our networks to clash, so we just want to Nat all the UK traffic on the UK 1811 that is also builds the tunnel from the uk to us.

The 1811 just connects to our uk LAN so anything through the lan port to the us can use an IP Nat pool, so the us will only see one range from the uk.

I have another idea as the us team control the 1811. I have a spare 1841 router, can I somehow put the inside port of the 1811 into the 1841 and then the inside of the 1841 into our LAN and get this to do all the Nats? Then the US can leave their router and this other router can just do the Nat?

If the US are reluctant to change anything on their 1811 router, is it possible to put the inside LAN port from that into the outside of my spare 1841 then put the 1841 into our LAN to do the NAT? Is this config ok for this scenario?

Current configuration : 1684 bytes

!

! Last configuration change at 14:31:17 London Mon Aug 6 2007

! NVRAM config last updated at 14:31:18 London Mon Aug 6 2007

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname NATrouter1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

!

!

no ip domain lookup

ip domain name yourdomain.com

!

username ********* privilege 15 password 7 ********

!

!

!

interface FastEthernet0/0

description *** LAN INTERFACE ***

ip address 192.168.9.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

description ** OUTSIDE INTERFACE TO US 1811 Router **

ip address 192.168.17.1 255.255.255.0

ip nat outside

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.9.254

!

ip http server

ip http authentication local

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool UKpool 192.168.9.2 192.168.9.250 netmask 255.255.255.0

ip nat inside source list 101 pool UKpool

!

access-list 101 permit ip any 170.50.10.0 255.255.255.0

snmp-server community ******** RO

snmp-server host 192.168.x.x *****

!

control-plane

!

!

line con 0

password *********

login

line aux 0

line vty 0 4

privilege level 15

password *******

login

transport input telnet

line vty 5 15

privilege level 15

password ******

login local

transport input telnet

!

end

Andy

Yes you can do this. Your access-list 101 does not look right though. Are you saying that you want all traffic wherever it is going to be Natted to 192.168.9.2 -> 250 ?

If so

access-list 101 permit ip any any

If not let me know

HTH

Jon