cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
0
Helpful
2
Replies

NAT with IPSEC

A router is making an ipsec connection to two different routers over internet.

Only a singe ip lets say 172.20.18.25 is allowed over vpn

Is it possible to nat the ip to two different ips for each vpn

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Yes it is although you don't say which device. Assuming a pix/asa you can use policy NAT.

VPN1 remote subnet = 172.16.5.0/24

VPN2 remote subnet = 192.168.5.0/24

access-list vpn1 permit ip host 172.20.18.25 172.16.5.0 255.255.255.0

access-list vpn2 permit ip host 172.20.18.25 192.168.5.0 255.255.255.0

nat (inside) 2 access-list vpn1

nat (inside) 3 access-list vpn2

global (outside) 2 10.5.1.10

global (outside) 3 10.6.1.10

So when going to VPN1 the host 172.20.18.25 would get translated to 10.5.1.0 and if going to VPN2 host gets translated to 10.6.1.10.

Last thing to note. In your crypto access-list that defines which traffic to encrypt you need to refer to the Natted address and not the original one ie.

access-list vpnt1 permit ip host 10.5.1.10 172.16.5.0 255.255.255.0

access-list vpnt2 permit ip host 10.6.1.10 192.168.5.0 255.255.255.0

Jon

thanx for your reply ..

im using 3825 isr .. so its an ios device.

can u help me out with the configs on the router

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: