09-14-2010 02:10 PM
Hello everybody, i need some help in a vpn configuration, this is the problem i need to nat all the vpn traffic because i net to set up a vpn but i already have another vpn with the same network so this overlaps with the new one, so how can i nat all traffic to another network to avoid the network overlaps?.
Please i really need help
Thanks
Solved! Go to Solution.
09-17-2010 11:33 AM
You're saying the 192.168.1.100 is able to go through the tunnel and to the internet now?
Try adding another....
ip nat inside source static 192.168.1.101 10.10.44.101 route-map VPN
for example.
Federico.
09-17-2010 11:40 AM
Normally you would add:
ip access-list extended INTERNET
deny ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
route-map INTERNET
match ip address INTERNET
ip nat inside source route-map INTERNET interface FasEthernet0 overload
To allow the 192.168.1.0/24 internet access (except when going through the tunnel).
Try that, but I did notice that the outside interface has a private IP (where the VPN tunnel ends).
Is this tunnel going over the Internet and if so, something else might be NATing the IP then.
Federico.
09-14-2010 03:08 PM
Hi,
If you have an ASA, then you NAT using Policy NAT, something like this:
Site A:
access-list NAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
static (in,out) 10.3.3.0 access-list NAT
Site B:
access-list NAT permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
static (in,out) 10.2.2.0 access-list NAT
Both internal networks are 10.1.1.0/24 but the VPN communication (after NAT) is between 10.2.2.0/24 and 10.3.3.0/24
Federico.
09-14-2010 03:24 PM
Hi Thanks, I have an Cisco Router 1711, do you know how to do it in this equipment. I must have PAT for internet access and NAT for vpn traffic.
Thanks a lot
09-15-2010 07:36 AM
You use the same idea that i show you before.
If you need more help please post the networks for both sides and we'll show the configuration commands.
Federico.
09-15-2010 07:42 AM
Hello thank i really appreciate you help, here are the both site networks
SITE A: 192.168.28.0/24
SITE B: 192.168.1.0/24
I want to nat the segment 192.168.1.0/24 to 10.10.10.0/24 because on the SITE A router i already have another vpn with de 192.168.1.0/24 segment so it overlaps with the new one and i must have internet access in the SITE B router.
Thanks
09-15-2010 05:13 PM
The configuration varies if you have ASAs or routers as VPN endpoints.
You have routers or ASAs?
Federico.
09-16-2010 02:23 PM
I have a router cisco 1711.
Thanks
09-16-2010 03:53 PM
For example:
If the LAN is 192.168.1.0/24 and you want to NAT it to 192.168.2.0/24 when going through the tunnel:
ip nat inside source static network 192.168.1.0 192.168.2.0 /24
Problem with this is that it will translate the network always (not only when going through the tunnel).
If you do:
ip nat inside source static 192.168.1.1 192.168.2.1 route-map NAT
Then you can bind a route-map to specify that the static NAT rule will take effect only when the route-map conditions are met.
Problem is that you will need to do one IP at the time.
In ASAs is a lot easier.
Perhaps someone else have tried this (because I don't see how to apply a route-map when specifying a network in the static NAT).
Federico.
09-17-2010 08:44 AM
Ok i think i understand you, this is my config
MiniBox#sh run
Building configuration...
Current configuration : 2181 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MiniBox
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
clock timezone Mexico -6
clock summer-time Mexico date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip ips po max-events 100
no ftp-server write-enable
!
!
!
username ***** privilege 15 secret 5 *******
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ***** address *****
no crypto isakmp ccm
!
!
crypto ipsec transform-set MiniBox esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer ******
set transform-set MiniBox
match address 101
!
!
!
interface FastEthernet0
ip address 10.1.131.85 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface Vlan1
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
!
ip classless
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static network 192.168.1.0 10.10.44.0 /24
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
no cdp run
!
!
control-plane
!
!
line con 0
login local
line 1
MiniBox#
MiniBox#
I'm ok or not? in the acl 101 i must have the nat segment 192.168.1.0 as my permit traffic o my no nat segment?, and what if i want to nat for have internet access?
Thanks
09-17-2010 10:18 AM
ip nat inside source static network 192.168.1.0 10.10.44.0 /24
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
The ACL 101 should be:
access-list 101 permit ip 10.10.44.0 0.0.0.255 192.168.28.0 0.0.0.255
The reason is that since you're translating the 192.168.1.0/24 to 10.10.44.0/24 when going through the tunnel, then the ACL for VPN traffic should specify the translated address as the local network.
Again, I don't see an option of doing this NAT a condition NAT.
If you need NAT for Internet, you can try the following:
ip nat inside source static 192.168.1.1 10.10.44.1 route-map VPN
route-map VPN
match ip address VPN-traffic
ip access-list extended VPN-traffic
permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
In this way, host 192.168.1.1 will be translated to 10.10.44.1 only when going to 192.168.28.0/24
Try it and see if it works.
Federico.
09-17-2010 11:30 AM
Hi the first one works perfectly but the second one when i want to access to internet it doesn't work but for the vpn it works, here is my config.
MiniBox#sh run
Building configuration...
Current configuration : 2335 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MiniBox
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
clock timezone Mexico -6
clock summer-time Mexico date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip ips po max-events 100
no ftp-server write-enable
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key **** address ******
no crypto isakmp ccm
!
!
crypto ipsec transform-set MiniBox esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer *******
set transform-set MiniBox
match address 101
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 10.1.131.85 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.131.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static 192.168.1.100 10.10.44.100 route-map VPN
!
!
!
ip access-list extended VPN-traffic
permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 101 permit ip 10.10.44.0 0.0.0.255 192.168.28.0 0.0.0.255
no cdp run
!
route-map VPN permit 10
match ip address VPN-traffic
!
!
control-plane
!
!
line con 0
login local
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
end
We are really close, thanks for all your help i really appreciate it.
09-17-2010 11:33 AM
You're saying the 192.168.1.100 is able to go through the tunnel and to the internet now?
Try adding another....
ip nat inside source static 192.168.1.101 10.10.44.101 route-map VPN
for example.
Federico.
09-17-2010 11:36 AM
No, the 192.168.1.100 only can go through the tunnel it haven internet access
09-17-2010 11:40 AM
Normally you would add:
ip access-list extended INTERNET
deny ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
route-map INTERNET
match ip address INTERNET
ip nat inside source route-map INTERNET interface FasEthernet0 overload
To allow the 192.168.1.0/24 internet access (except when going through the tunnel).
Try that, but I did notice that the outside interface has a private IP (where the VPN tunnel ends).
Is this tunnel going over the Internet and if so, something else might be NATing the IP then.
Federico.
09-17-2010 11:47 AM
Thanks a lot Federico now i Can access to internet and VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide