Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
4
Replies

IOS IPSEC VPN with NAT - Translation Problem

Go to solution
csimmons
Level 1
Level 1

‎12-12-2008 09:45 AM - edited ‎02-21-2020 04:04 PM

I am having with an issue with an IOS IPSEC VPN configuration.

/*

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key TEST123 address 205.xx.1.4

!

!

crypto ipsec transform-set CHAIN esp-3des esp-sha-hmac

!

!

crypto map CRYPTO-MAP 10 ipsec-isakmp

set peer 205.xx.1.4

set transform-set CHAIN

match address 115

!

interface FastEthernet0/0

description TO EDGE ROUTER

ip address 208.xx.xx.33 255.255.255.252

ip nat outside

crypto map CRYPTO-MAP

!

interface FastEthernet0/1

description INTERNAL NETWORK

ip address 10.15.2.4 255.255.255.0

ip nat inside

access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.1.0 0.0.0.3

*/

(This configuration is incomplete / NAT configuration needed)

Here is the solution I am looking for:

When a session is initiated from the “Internal Network” to the “IPSEC Remote - 172.xx.1.0/30” network I want the “10.15.0.0/16” address scheme to translate to the NAT addresses “192.xx.xx.128/30” before routing over the IPSEC VPN Tunnel.

Please see "ATTACHED DIAGRAM" for more information.

Any help is greatly appreciated!

Thanks,

Clint Simmons

Network Engineer

Labels:
Preview file
57 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karks Raja
Level 1
Level 1

‎12-12-2008 10:39 AM

You can try the following NAT+route map approach(2nd method in this link)

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thanks,

Raja K

View solution in original post

0 Helpful

Go to solution
rkalia1
Level 1
Level 1

‎12-12-2008 12:48 PM

Probably you need the following:

ip access-list extended NAT

permit ip 10.15.0.0 255.255.0.0 172.xx.1.0

255.255.255.252

route-map NAT_TO_172.xx.1.0 permit 10

match address NAT

ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karks Raja
Level 1
Level 1

‎12-12-2008 10:39 AM

You can try the following NAT+route map approach(2nd method in this link)

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thanks,

Raja K

0 Helpful

Go to solution
rkalia1
Level 1
Level 1

‎12-12-2008 12:48 PM

Probably you need the following:

ip access-list extended NAT

permit ip 10.15.0.0 255.255.0.0 172.xx.1.0

255.255.255.252

route-map NAT_TO_172.xx.1.0 permit 10

match address NAT

ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130

0 Helpful

Go to solution
csimmons
Level 1
Level 1
In response to rkalia1

‎12-12-2008 01:06 PM

Thanks for the response. I did try this approach before. However I will clear the NAT configuration and try again...

/*

ip nat pool CRYPTO-POOL 192.xx.xx.129 192.xx.xx.130 prefix-length 30

ip nat inside source route-map CRYPTO-MAP pool CRYPTO-POOL overload

access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.xx.0 0.0.0.3

access-list 186 permit ip 10.15.2.0 0.0.0.255 172.xx.xx.0 0.0.0.3

route-map CRYPTO-MAP permit 10

match ip address 186

*/

I will respond with the new results later.

Thanks,

Clint

0 Helpful

Go to solution
csimmons
Level 1
Level 1
In response to csimmons

‎12-18-2008 10:15 AM

Looks like the problem is resolved per the instructions above.

Thanks for all the help!

Clint

0 Helpful
Customers Also Viewed These Support Documents