09-14-2010 02:10 PM
Hello everybody, i need some help in a vpn configuration, this is the problem i need to nat all the vpn traffic because i net to set up a vpn but i already have another vpn with the same network so this overlaps with the new one, so how can i nat all traffic to another network to avoid the network overlaps?.
Please i really need help
Thanks
Solved! Go to Solution.
09-17-2010 11:33 AM
You're saying the 192.168.1.100 is able to go through the tunnel and to the internet now?
Try adding another....
ip nat inside source static 192.168.1.101 10.10.44.101 route-map VPN
for example.
Federico.
09-17-2010 11:40 AM
Normally you would add:
ip access-list extended INTERNET
deny ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
route-map INTERNET
match ip address INTERNET
ip nat inside source route-map INTERNET interface FasEthernet0 overload
To allow the 192.168.1.0/24 internet access (except when going through the tunnel).
Try that, but I did notice that the outside interface has a private IP (where the VPN tunnel ends).
Is this tunnel going over the Internet and if so, something else might be NATing the IP then.
Federico.
09-14-2010 03:08 PM
Hi,
If you have an ASA, then you NAT using Policy NAT, something like this:
Site A:
access-list NAT permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
static (in,out) 10.3.3.0 access-list NAT
Site B:
access-list NAT permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
static (in,out) 10.2.2.0 access-list NAT
Both internal networks are 10.1.1.0/24 but the VPN communication (after NAT) is between 10.2.2.0/24 and 10.3.3.0/24
Federico.
09-14-2010 03:24 PM
Hi Thanks, I have an Cisco Router 1711, do you know how to do it in this equipment. I must have PAT for internet access and NAT for vpn traffic.
Thanks a lot
09-15-2010 07:36 AM
You use the same idea that i show you before.
If you need more help please post the networks for both sides and we'll show the configuration commands.
Federico.
09-15-2010 07:42 AM
Hello thank i really appreciate you help, here are the both site networks
SITE A: 192.168.28.0/24
SITE B: 192.168.1.0/24
I want to nat the segment 192.168.1.0/24 to 10.10.10.0/24 because on the SITE A router i already have another vpn with de 192.168.1.0/24 segment so it overlaps with the new one and i must have internet access in the SITE B router.
Thanks
09-15-2010 05:13 PM
The configuration varies if you have ASAs or routers as VPN endpoints.
You have routers or ASAs?
Federico.
09-16-2010 02:23 PM
I have a router cisco 1711.
Thanks
09-16-2010 03:53 PM
For example:
If the LAN is 192.168.1.0/24 and you want to NAT it to 192.168.2.0/24 when going through the tunnel:
ip nat inside source static network 192.168.1.0 192.168.2.0 /24
Problem with this is that it will translate the network always (not only when going through the tunnel).
If you do:
ip nat inside source static 192.168.1.1 192.168.2.1 route-map NAT
Then you can bind a route-map to specify that the static NAT rule will take effect only when the route-map conditions are met.
Problem is that you will need to do one IP at the time.
In ASAs is a lot easier.
Perhaps someone else have tried this (because I don't see how to apply a route-map when specifying a network in the static NAT).
Federico.
09-17-2010 08:44 AM
Ok i think i understand you, this is my config
MiniBox#sh run
Building configuration...
Current configuration : 2181 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MiniBox
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
clock timezone Mexico -6
clock summer-time Mexico date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip ips po max-events 100
no ftp-server write-enable
!
!
!
username ***** privilege 15 secret 5 *******
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ***** address *****
no crypto isakmp ccm
!
!
crypto ipsec transform-set MiniBox esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer ******
set transform-set MiniBox
match address 101
!
!
!
interface FastEthernet0
ip address 10.1.131.85 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface Vlan1
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
!
ip classless
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static network 192.168.1.0 10.10.44.0 /24
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
no cdp run
!
!
control-plane
!
!
line con 0
login local
line 1
MiniBox#
MiniBox#
I'm ok or not? in the acl 101 i must have the nat segment 192.168.1.0 as my permit traffic o my no nat segment?, and what if i want to nat for have internet access?
Thanks
09-17-2010 10:18 AM
ip nat inside source static network 192.168.1.0 10.10.44.0 /24
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
The ACL 101 should be:
access-list 101 permit ip 10.10.44.0 0.0.0.255 192.168.28.0 0.0.0.255
The reason is that since you're translating the 192.168.1.0/24 to 10.10.44.0/24 when going through the tunnel, then the ACL for VPN traffic should specify the translated address as the local network.
Again, I don't see an option of doing this NAT a condition NAT.
If you need NAT for Internet, you can try the following:
ip nat inside source static 192.168.1.1 10.10.44.1 route-map VPN
route-map VPN
match ip address VPN-traffic
ip access-list extended VPN-traffic
permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
In this way, host 192.168.1.1 will be translated to 10.10.44.1 only when going to 192.168.28.0/24
Try it and see if it works.
Federico.
09-17-2010 11:30 AM
Hi the first one works perfectly but the second one when i want to access to internet it doesn't work but for the vpn it works, here is my config.
MiniBox#sh run
Building configuration...
Current configuration : 2335 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MiniBox
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
clock timezone Mexico -6
clock summer-time Mexico date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip ips po max-events 100
no ftp-server write-enable
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key **** address ******
no crypto isakmp ccm
!
!
crypto ipsec transform-set MiniBox esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer *******
set transform-set MiniBox
match address 101
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address 10.1.131.85 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.131.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static 192.168.1.100 10.10.44.100 route-map VPN
!
!
!
ip access-list extended VPN-traffic
permit ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 101 permit ip 10.10.44.0 0.0.0.255 192.168.28.0 0.0.0.255
no cdp run
!
route-map VPN permit 10
match ip address VPN-traffic
!
!
control-plane
!
!
line con 0
login local
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
end
We are really close, thanks for all your help i really appreciate it.
09-17-2010 11:33 AM
You're saying the 192.168.1.100 is able to go through the tunnel and to the internet now?
Try adding another....
ip nat inside source static 192.168.1.101 10.10.44.101 route-map VPN
for example.
Federico.
09-17-2010 11:36 AM
No, the 192.168.1.100 only can go through the tunnel it haven internet access
09-17-2010 11:40 AM
Normally you would add:
ip access-list extended INTERNET
deny ip 192.168.1.0 0.0.0.255 192.168.28.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
route-map INTERNET
match ip address INTERNET
ip nat inside source route-map INTERNET interface FasEthernet0 overload
To allow the 192.168.1.0/24 internet access (except when going through the tunnel).
Try that, but I did notice that the outside interface has a private IP (where the VPN tunnel ends).
Is this tunnel going over the Internet and if so, something else might be NATing the IP then.
Federico.
09-17-2010 11:47 AM
Thanks a lot Federico now i Can access to internet and VPN.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: