Cisco IOS router, Hide Internal subnet in a new ip pool. NAT Before IPSEC

r.deussen · ‎12-19-2007

Hello All,

I would like to create the following setup;

my internal LAN's are:

192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

I need to connect to this VPN network;

172.26.222.0 255.255.255.224

With my own assigned IP Range:

172.26.226.145 255.255.255.248

So i need to hide my internal net;

192.168.1.0 / 24

192.168.2.0 / 24

behind;

172.26.226.144 255.255.255.248

if i need to reach:

172.26.222.0 255.255.255.224

without disturbing any;

Internet traffic

(there is a nat overload defined;)

ip nat inside source list 12 interface Dialer0 overload

access-list 12 defines some deny's for current vpn traffic and a permit for internal LAN to Internet.

I was thinking by doing this in a route-map?

ip nat inside source route-map VPN interface Dialer0 overload

ip nat inside source static network 192.168.1.0 0.0.0.255 172.26.226.144 0.0.07 route-map VPN extendable

and

ip nat inside source static network 192.168.2.0 0.0.0.255 172.26.226.144 0.0.07 route-map VPN extendable

access-list 144 deny ip 172.26.226.144 0.0.0.7 172.26.222.0 0.0.0.31

access-list 144 deny ip 172.26.222.0 0.0.0.31 172.26.226.144 0.0.0.7

access-list 144 permit ip 192.168.1.0 0.0.0.255 any

access-list 144 permit ip 192.168.2.0 0.0.0.255 any

route-map VPN permit 10

match ip address 144

Does anybody have some experience doing so?

Thanks in advance for any answer.

Regards,

Ralph

htarra · ‎12-26-2007

For creating VPN between two sites you need public IP's on both sides. !72.26.x.x is a private network IP and cannot be used for VPN if it is over Internet. The internal network 192.168.x.x can be made hidden using a firewall or access lists.