×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

site-to-site VPN connection

Unanswered Question
May 13th, 2008
User Badges:

Hello,


I have established site-to-site connection but my client has informed me that our internal IP address is conflicting with their network's internal IP address. so now they want me to create NAT policy so I can send IP address 192.168.18.2 on to the VPN and they can access my server. My server IP address is 192.168.16.2. (192.168.16.2 IP address is conflicting with their internal lan IP).

I am not sure how do I write NAT policy.

Pls find the following configuration:


crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp key abc address 203.x.x.248


crypto ipsec transform-set compname esp-aes 256 esp-md5-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 203.33.102.248

set peer 203.33.102.248

set security-association lifetime seconds 86400

set transform-set compname

set pfs group2

match address 100


access-list 100 permit ip host 192.168.16.2 host 172.16.241.31



Pls let me know how would I write NAT policy so that I can send host IP 192.168.18.2 and they can access my server data which is on IP 192.168.16.2.

Reminding you again that my client has got other range on their network which is 192.168.16.x/24.

Your quick help will be much more appreciated.


THanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 05/13/2008 - 02:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

static (inside,outside) 192.168.18.2 192.168.16.2 netmask 255.255.255.255


(assuming 192.168.16.2 is reachable via the inside interface ).


access-list 100 permit ip host 192.168.18.2 host 172.16.241.31


Jon

pannu3679 Tue, 05/13/2008 - 03:56
User Badges:

sorry, I forgot to mention that I'm using cisco 871.

static command does not seem to be working on cisco 871 router...

if you have any other idea then please let me know.

THanks.

Jon Marshall Tue, 05/13/2008 - 03:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

ip nat inside source static 192.168.16.2 192.168.18.2


Then you need "ip nat inside" under the interface connecting to your 192.168.16.x network and "ip nat outside" on the outside interface.


Jon

pannu3679 Tue, 05/13/2008 - 04:08
User Badges:

Hi John,


I'm afraid cos one of my colleague has configured couple of PAT rule on this CISO 871 router... please check following PAT rule:


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.16.2 21 58.x.x.x 21 extendable

ip nat inside source static tcp 192.168.16.2 22 58.x.x.x 22 extendable


I wonder that does it cause any problem if I write your given nat rule which is :


ip nat inside source static 192.168.16.2 192.168.18.2


and also confirming with you that I will write down your given access list too which is :


access-list 100 permit ip host 192.168.18.2 host 172.16.241.31

Jon Marshall Tue, 05/13/2008 - 04:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes this will create a problem. You will need to use a route-map to only NAT 192.168.16.2 to 192.16.18.2 when the source ip address is 172.16.241.31.


Yes you need to use the Natted IP address in your crypto access-list.


Jon

pannu3679 Tue, 05/13/2008 - 04:56
User Badges:

I'm not sure what do you mean and how would I do it.

Your help will be much more appreciated...

thanks.

Here is my external interface config:

interface FastEthernet4

ip address 58.x.x.x 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1


==============================

Here is my internal interface config.


interface Vlan1

ip address 192.168.16.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452


================================

here is my NAT rules:


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.16.2 21 58.x.x.x 21 extendable

ip nat inside source static tcp 192.168.16.2 22 58.x.x.x 22 extendable

ip nat inside source static tcp 192.168.16.2 25 58.x.x.x 25 extendable

ip nat inside source static tcp 192.168.16.2 80 58.x.x.x 80 extendable

ip nat inside source static tcp 192.168.16.2 110 58.x.x.x 110 extendable

ip nat inside source static tcp 192.168.16.2 143 58.x.x.x 143 extendable


ip nat inside source static tcp 192.168.16.2 443 58.x.x.x 443 extendable

ip nat inside source static tcp 192.168.16.2 1723 58.x.x.x 1723 extendable

ip nat inside source static tcp 192.168.16.2 3389 58.x.x.x 3389 extendable

ip nat inside source static tcp 192.168.16.35 10000 58.x.x.x 10000 extendable


now if you could tell me that what would you like me to configure...please...

thanks

pannu3679 Tue, 05/13/2008 - 14:17
User Badges:

HI,


Is there someone who can help me out with NAT policy to establish site-to-site VPN connection.

Thanks,

pannu3679 Tue, 05/13/2008 - 17:00
User Badges:

Hi,


If anyone know how to fix this issue, please let me know so I can resolve my issue...

Its quite urgent to resolve this issue.

THanks,

Actions

This Discussion