04-22-2009 05:34 AM - edited 03-11-2019 08:21 AM
I have an internal address 192.168.1.16 but we want the other end of the VPN tunnel to communicate with 172.16.5.1 instead and use NAT because of an overlapping address range. Does anyone have a an example configuration of something like this.
04-22-2009 05:43 AM
FW1 = firewall at site where 192.168.1.16 is.
FW2 = firewall at remote end
Config bits that are needed for the NAT setup and the VPN crypto map
FW1
static (inside,outside) 172.16.5.1 192.168.1.16
access-list vpntraffic permit ip host 172.16.5.1 host 192.168.1.16
crypto map vpnmap 1 match address vpntraffic
FW2
access-list vpntraffic permit ip host 192.168.1.16 host 172.16.5.1
crypto map vpnmap 1 match address vpntraffic
Note that the 192.168.1.16 referenced in FW2 config is actually a client machine behind FW2 and not the 192.168.1.16 machine behind FW1.
Jon
04-22-2009 10:54 PM
Hi Jon, bschear I'm sorry to gatecrash your post but I have to configure a setup with cisco encryption routers on either end of my VPN tunnel.
The 3rd party parners have a firewall connected to the encryption router (which is my tunnel endpoint) and they are NAT'ing their internal addresses so I'm a bit confused as to how I set up the acl's for interesting traffic on my side.
Do I permit access to the NAT'ed or original addresses?
Is there anything I need to configure on my router regarding the NAT'ing on the other end of the tunnel?
Again, I'm sorry for posting my question here but I thought i'd be quicker to get a response as you obviously know about VPN's and NAT configuration.
Mant thanks,
Martha.
04-23-2009 01:49 AM
Martha
You need to use the natted address in your access-list for the interesting traffic because you will never see the 3rd parties internal addresses.
Jon
04-23-2009 04:15 AM
Thanks Jon for the prompt response, that is what I put in my access-list but its not working. I will troubleshoot further with the 3rd party company as I'm pretty sure my config is fine.
Thanks again,
Martha.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: