Can Easy VPN Clients Be NAT'ed to Access Subnets Behind Easy VPN Server?

Unanswered Question

I have some VPN clients that need to access a device on an internal subnet that is not directly connected to the 1801 router acting as the Easy VPN Server.  The router has an internal IP address of 10.20.1.1.  The VPN clients are being assigned addresses from the 10.1.1.0/24 subnet.  The device has an IP of 10.30.1.30 and it is behind a gateway that has an IP of 10.20.1.2.


I cannot modify the routing table of the gateway that has the IP of 10.20.1.2 so that it knows to route 10.1.1.0/24 traffic to 10.20.1.1 because it is not under my control.


Is it possible for me to NAT the VPN client traffic behind the VLAN 1 interface so the device sees the VPN client traffic coming from 10.20.1.1 and knows how to get to that?


I know that assigning the VPN clients IP address from the 10.20.1.0 subnet would work but that subnet is not under my control and that might cause some conflicts.


Thanks for any help you can give.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Thu, 09/23/2010 - 22:00
User Badges:
  • Cisco Employee,

Hey,


You should be able to do that. You basically have to overload the PVN client pool to the inside ip address of 10.20.1.1. Assuming the interface the VPN clients connect to is fa0/0 and the interface fa0/1 has ip address of 10.20.1.1. Also, i am guessing you already have ip nat inside on fa0/1 and ip nat outside on fa0/0.


So you will need the following:


ip access-list extended VPN

permit ip 10.1.1.0 0.0.0.255 host 10.30.1.30


ip nat outside source list VPN interface fa0/1 overload.


Hope this helps. Let me know how it goes!


Thanks and Regards,

Prapanch

Prapanch,


Thank you for your response.  Basically, all of your assumptions are correct.  The external interface is FastEthernet0 and the internal interface is VLAN1.  I'm not able to type that command on the 1801 router.  I'm only able to type the following:


          ip nat outside source list VPN pool Test


I'm not even given the opiton to use the "interface" option:


          cisco-1801(config)#ip nat outside source list VPN ?
             pool  Name pool of local addresses


          cisco-1801(config)#


I tried using the following to make it work but it didn't work:


          ip nat pool Test 10.20.1.1 10.20.1.1 netmask 255.255.255.0
          ip nat outside source list 108 pool Test



Do you have any other ideas or see anything I'm missing?


Thanks again.

praprama Fri, 09/24/2010 - 00:43
User Badges:
  • Cisco Employee,

Hi Alex,


I would have thought of the same thing. Is it working with that config?


Thanks and Regatrds,

Prapanch

praprama Fri, 09/24/2010 - 01:50
User Badges:
  • Cisco Employee,

What does your "show access-list 108" look like? Try adding the "overload" keyword at the end and see if it helps.


ip nat outside source list 108 pool Test overload


Also, the below link seems to suggest an add-route keyword at the end of the above command which is necessary for this to work:


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml


Regards,

Prapanch

Actions

This Discussion