NAT through a VPN

morris.jason · ‎03-20-2008

Ok here's the situation. I have an 871 that currently terminates 2 VPN tunnels to partners. I'm in the process of connecting to another partner which would bring the total count to 3. This 3rd partner is requiring me to NAT all the addresses on my network to a different subnet. I've never had to configure NAT through a VPN before and I can't seem to find any documentation on how to do this on cisco's site. Does anybody have any input or advice?

Jason

JORGE RODRIGUEZ · ‎03-20-2008

Jason,

This falls under policy nat, I have done similar scenario but in asa firewall where other end of tunnel expect that when the tunnel is stablished that you appear to them with a pre-defined nat pool addresses already configured at their end thus mapping that pre-defined pool into their destination hosts. Therefore , your side of the tunnel must be natted to that pool before your source hosts can access the destination hosts.

This is an example in pix/asa firewall

assume your source hosts prior NAT are 10.10.10.0, destination host is 20.20.20.1 at other side of tunnel

NAT pool assign to you is 30.30.30.0/24

access-list CLIENT-A-Tunnel permit ip 10.10.10.0 255.255.255.0 host 20.20.20.1

global (outside) ID# 30.30.30.1-30.30.30.254 netmask 255.255.255.0

nat (inside) ID# access-list CLIENT-A-Tunnel

But in IOS I have not seen a specific document as ablove PIX/ASA example but you could apply the example in the bellow link.

Not exactly but similarly if your network and other side of the tunnel had duplicate local LAN addresses at each end, but instead you will nat or hide if you will your inside LAN before it hits the other end of the tunnel.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

HTH

Rgds

Jorge

Jorge Rodriguez