04-02-2008 12:29 AM - edited 02-21-2020 03:38 PM
A router is making an ipsec connection to two different routers over internet.
Only a singe ip lets say 172.20.18.25 is allowed over vpn
Is it possible to nat the ip to two different ips for each vpn
04-02-2008 03:35 AM
Yes it is although you don't say which device. Assuming a pix/asa you can use policy NAT.
VPN1 remote subnet = 172.16.5.0/24
VPN2 remote subnet = 192.168.5.0/24
access-list vpn1 permit ip host 172.20.18.25 172.16.5.0 255.255.255.0
access-list vpn2 permit ip host 172.20.18.25 192.168.5.0 255.255.255.0
nat (inside) 2 access-list vpn1
nat (inside) 3 access-list vpn2
global (outside) 2 10.5.1.10
global (outside) 3 10.6.1.10
So when going to VPN1 the host 172.20.18.25 would get translated to 10.5.1.0 and if going to VPN2 host gets translated to 10.6.1.10.
Last thing to note. In your crypto access-list that defines which traffic to encrypt you need to refer to the Natted address and not the original one ie.
access-list vpnt1 permit ip host 10.5.1.10 172.16.5.0 255.255.255.0
access-list vpnt2 permit ip host 10.6.1.10 192.168.5.0 255.255.255.0
Jon
04-02-2008 04:14 AM
thanx for your reply ..
im using 3825 isr .. so its an ios device.
can u help me out with the configs on the router
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: