Help NAT and VPN IPsec!!!

Unanswered Question
Apr 9th, 2010
User Badges:

I have the ROUER C2811-NAT as follows:

C2811-NAT:
NAT for Network RED-LAN 192.168.8.0 / 24
VPN  Server for any.

VPN Client connects to the LAN by VPN, and connect to  internal computers (LAN) fine., In the NAT-R I have the following static route:
ip route 192.168.222.0  255.255.255.240.
8.8.8.9, to  reach the RED CUSTOMER # 2.

In the  NAT-R router, the network VPN 192.168.222.0 / 29 do NAT for have access to Internet.

My query is, as I do for the  network 192.168.222.0 / 29 do nat in router C2811? .. because once  connected to the VPN, my pc is accessible from all network clients  CUSTOMER # 2.


attach configuration.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Jennifer Halim Fri, 04/09/2010 - 20:02
User Badges:
  • Cisco Employee,

No, it will not be NATed because the outside interface that you use to terminate the VPN does not have "ip nat inside" statement. It is an "ip nat outside". Only traffic that is inbound towards interface that has "ip nat inside" will be NATed out. Traffic from customer# 2 will be routed towards NAT-R then C2811-NAT router, and it will be encrypted and route back towards NAT-R and out to the Internet.


Hope that helps.

Kevin Morales Sat, 04/10/2010 - 06:52
User Badges:

thank for reply,


As I do for clients that connect to the VPN router C2811-NAT, they go through this router to internet and always have access to internal resources?

I do not want VPN clients do NAT on the router NAT-R. but do so in the C2811-NAT.

Jennifer Halim Sat, 04/10/2010 - 15:06
User Badges:
  • Cisco Employee,

Please disregard the previous message.


I just have a look at the requirement again, and now I am confused on what you are trying to achieve.


OK, let's go back to requirement/assumption:

1) User connects to VPN that terminates on C2811-NAT router, and assigned IP from pool: 192.168.222.0/28.

2) Once connected, they need to be able to access RED LAN, Customer# 2 LAN and the Internet. Is this what you are trying to achieve?

3) On your first post, you said: " In the NAT-R I have the following static  route: ip route  192.168.222.0  255.255.255.240. 8.8.8.9, to   reach the RED CUSTOMER # 2."    ----> I don't see this statement on your config attached, and it doesn't sound correct.


4) What is Customer# 2 LAN subnet?

Kevin Morales Sun, 04/11/2010 - 15:56
User Badges:



1)  User connects to VPN that terminates on C2811-NAT router, and assigned  IP from pool: 192.168.222.0/28.  (Correct)

2) Once connected, they need to be  able to access RED LAN, Customer# 2 LAN and the Internet. Is this what  you are trying to achieve?

** Once connected  to VPN, they can get to the RED-LAN, but unable to ping network  CUSTOMER # 2, to enter the network CUSTOMER #, I had to set the route static the private network  (192,168 .222.0 / 28) in the router NAT-R:ip route 192.168.222.0 255.255.255.240 8.8.8.9!, , so, it gains access to  the network CUSTOMER # 2.


3)  On your first post, you said: " In the  NAT-R I have the following static  route: ip route  192.168.222.0   255.255.255.240. 8.8.8.9, to    reach the RED CUSTOMER # 2."    ----> I don't see this statement on  your config attached, and it doesn't sound correct.

*** Sorry. I did not put the static route  in the configuration, and corrected the file with the path included.


4) What  is Customer# 2 LAN subnet?

*** 10.10.10.1 255.255.255.0


*** Currently the network  192.168.222.0 / 28 does nat on the router NAT-R to have Internet, but I  want the NAT do so in the C2811-NAT..


sorry for my  English ..


Jennifer Halim Sun, 04/11/2010 - 17:48
User Badges:
  • Cisco Employee,

With the current configuration, when you VPN in, you should be able to ping customer#2 network (10.10.10.0/24). As far as the configuration is concern, it looks correct. No changes need to be done anymore.


When you VPN in, can you ping 10.10.10.1? If you can, then that means as far as vpn and NATing is concern, it's already correct.

Kevin Morales Mon, 04/12/2010 - 08:21
User Badges:

Thanks for your coolaboracion in this case, I made another scenario where I simplify the situation a little more.


The Cilento "X" is connected to the VPN without problem in C2811-NAT router, and can give ping all computers on the Internal Network (192.168.8.0 / 24), but no have Internet!,


The ACL 110 excludes the VPN (192.168.222.0) NAT process to gain access to the internal network (192.168.8.0 / 24)


ip nat inside source list 110 interface FastEthernet0/1 overload
access-list 110 deny ip 192.168.222.0 0.0.0.15 Any
access-list 110 permit ip 192.168.8.0 0.0.0.255 Any


What would be the proper configuration for the network 192.168.222.0 /28 may have access to the network 192.168.8.0 /24 and also do NAT in the C2811-NAT to have Internet


*** I do not want to use split tunnel, the internet should be through The C2811-NAT router

attac:

Attachment: 
Jennifer Halim Mon, 04/12/2010 - 23:34
User Badges:
  • Cisco Employee,

OK, so you would like the vpn to get access to customer# 2 and also internet access.


I would suggest that you configure the NAT on NAT-R router as follows:


ip access-list extended 150

     1 deny ip 192.168.222.0 0.0.0.15 10.10.10.0 0.0.0.255


interface FastEthernet1/0

     ip nat outside

Kevin Morales Tue, 04/13/2010 - 08:33
User Badges:

Thank you again for giving your time in this case,

What would the proper configuration for the second case that I presented? where there is no customer network # 2,

Only the C2811-NAT Router, RED LAN 192.168.8.0/24 and clients that connect to VPN have internet Through the router C2811-NAT,,?

Actions

This Discussion