07-15-2010 11:42 AM - edited 03-11-2019 11:12 AM
Hi,
My Local Subnet is 192.168.1.0/24 & 192.168.3.0/24. remote end also having same subnet.
We need to do Site to Site VPN with these detail:
My Public ip is 194.a.b.193 and Remote end peer IP is 100.a.b.19
Remote end natted IP is (100.a.c.198)
Query:
1. Is NAT allowed through IPsec?
2. Do i need GRE to run in this senario?
3.What will be intresting traffic access list on end A.
4. Any sample config guide/url for such senario
ip access-l Local permit host 100.a.c.198 host 194.a.b.193 ? or somting else
Please guide with some brief notes..
Thanks & regards
Amar
07-18-2010 09:41 AM
Hi Amar,
1. NAT is allowed through IPsec (and necessary when you have overlapping issues)
NAT occurs prior to encapsulation, therefore the traffic sent through the tunnel is already translated.
2. You don't need GRE for NAT.
GRE is needed to allow communication of non-IP traffic or non-unicast traffic.
If the requirement is to NAT the interesting traffic, there's no need for GRE (PIXes won't support GRE anyway)
3. The interesting traffic (if using NAT) will be the translated subnets.
If you translate site A to X and site B to Y, the interesting traffic will be between X and Y.
4. Not having a sample handy, let us know if you have any questions.
Federico.
07-18-2010 11:33 PM
please correct me if i am wrong, what i understood is:
1. I need to set peer as their public ips
2. then we can NAT the intrestting traffic with one public IP on both end.
3. and set a route with destination as remote public ips..
4. intresting acl should be: acces-l ipsec permit
=====================================================================================
Lets consider:
==============
Local lan subnet: 10.1.1.0/24
Local Public peer ip: 24.2.2.2
NATTed ip for LAN(10.1.1.0):24.2.2.3
Local lan subnet: 10.1.1.0/24
Remote peer ip: 30.2.2.2
NATTed ip for LAN(10.1.1.0):30.2.2.3
then configuration should be like:
========================
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encrypt 3des
crypto isakmp key cisco address 30.2.2.2
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list ipsectraffic permit ip 10.1.1.0 255.255.255.0 30.2.2.3 255.255.255.255
nat (inside) 1 access-list ipsec
global (outside) 1 24.2.2.3
crypto map toSanJose 20 ipsec-isakmp
crypto map toSanJose 20 match address ipsectraffic
crypto map toSanJose 20 set transform-set strong
crypto map toSanJose 20 set peer 30.2.2.2
crypto map toSanJose interface outside
sysopt connection permit-ipsec
07-20-2010 05:44 AM
Hi Amar,
Your understanding is correct for the most part, but I add an example for the Policy NAT:
Site A:
Local LAN = 192.168.1.0/24
NAT to = 10.1.1.0/24
Site B:
Local LAN = 192.168.1.0/24
NAT to = 10.2.2.0/24
Configuration for Site A:
access-list NAT permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
static (inside,outside) 10.1.1.0 access-list NAT
access-list crypto permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Configuration for Site B:
access-list NAT permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
static (inside,outside) 10.2.2.0 access-list NAT
access-list crypto permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
In this way, traffic will flow between both sites from 10.1.1.0/24 to 10.2.2.0/24 and vice versa.
The ''crypto'' ACL is the interesting traffic.
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: