Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
2
Replies

NAT with IPSEC

Muhammad Zeeshan Sanaullah
Level 1
Level 1

‎04-02-2008 12:29 AM - edited ‎02-21-2020 03:38 PM

A router is making an ipsec connection to two different routers over internet.

Only a singe ip lets say 172.20.18.25 is allowed over vpn

Is it possible to nat the ip to two different ips for each vpn

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2008 03:35 AM

Yes it is although you don't say which device. Assuming a pix/asa you can use policy NAT.

VPN1 remote subnet = 172.16.5.0/24

VPN2 remote subnet = 192.168.5.0/24

access-list vpn1 permit ip host 172.20.18.25 172.16.5.0 255.255.255.0

access-list vpn2 permit ip host 172.20.18.25 192.168.5.0 255.255.255.0

nat (inside) 2 access-list vpn1

nat (inside) 3 access-list vpn2

global (outside) 2 10.5.1.10

global (outside) 3 10.6.1.10

So when going to VPN1 the host 172.20.18.25 would get translated to 10.5.1.0 and if going to VPN2 host gets translated to 10.6.1.10.

Last thing to note. In your crypto access-list that defines which traffic to encrypt you need to refer to the Natted address and not the original one ie.

access-list vpnt1 permit ip host 10.5.1.10 172.16.5.0 255.255.255.0

access-list vpnt2 permit ip host 10.6.1.10 192.168.5.0 255.255.255.0

Jon

0 Helpful

Muhammad Zeeshan Sanaullah
Level 1
Level 1
In response to Jon Marshall

‎04-02-2008 04:14 AM

thanx for your reply ..

im using 3825 isr .. so its an ios device.

can u help me out with the configs on the router

0 Helpful
Customers Also Viewed These Support Documents