NAT with IPSEC

Unanswered Question
Apr 2nd, 2008

A router is making an ipsec connection to two different routers over internet.

Only a singe ip lets say 172.20.18.25 is allowed over vpn

Is it possible to nat the ip to two different ips for each vpn

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 04/02/2008 - 03:35

Yes it is although you don't say which device. Assuming a pix/asa you can use policy NAT.

VPN1 remote subnet = 172.16.5.0/24

VPN2 remote subnet = 192.168.5.0/24

access-list vpn1 permit ip host 172.20.18.25 172.16.5.0 255.255.255.0

access-list vpn2 permit ip host 172.20.18.25 192.168.5.0 255.255.255.0

nat (inside) 2 access-list vpn1

nat (inside) 3 access-list vpn2

global (outside) 2 10.5.1.10

global (outside) 3 10.6.1.10

So when going to VPN1 the host 172.20.18.25 would get translated to 10.5.1.0 and if going to VPN2 host gets translated to 10.6.1.10.

Last thing to note. In your crypto access-list that defines which traffic to encrypt you need to refer to the Natted address and not the original one ie.

access-list vpnt1 permit ip host 10.5.1.10 172.16.5.0 255.255.255.0

access-list vpnt2 permit ip host 10.6.1.10 192.168.5.0 255.255.255.0

Jon

Muhammad Zeesha... Wed, 04/02/2008 - 04:14

thanx for your reply ..

im using 3825 isr .. so its an ios device.

can u help me out with the configs on the router

Actions

This Discussion