Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3616
Views
0
Helpful
5
Replies

Can Easy VPN Clients Be NAT'ed to Access Subnets Behind Easy VPN Server?

alex.brown
Level 1
Level 1

‎09-23-2010 07:22 PM

I have some VPN clients that need to access a device on an internal subnet that is not directly connected to the 1801 router acting as the Easy VPN Server.  The router has an internal IP address of 10.20.1.1.  The VPN clients are being assigned addresses from the 10.1.1.0/24 subnet.  The device has an IP of 10.30.1.30 and it is behind a gateway that has an IP of 10.20.1.2.

I cannot modify the routing table of the gateway that has the IP of 10.20.1.2 so that it knows to route 10.1.1.0/24 traffic to 10.20.1.1 because it is not under my control.

Is it possible for me to NAT the VPN client traffic behind the VLAN 1 interface so the device sees the VPN client traffic coming from 10.20.1.1 and knows how to get to that?

I know that assigning the VPN clients IP address from the 10.20.1.0 subnet would work but that subnet is not under my control and that might cause some conflicts.

Thanks for any help you can give.

Labels:
0 Helpful
5 Replies 5

praprama
Cisco Employee
Cisco Employee

‎09-23-2010 10:00 PM

Hey,

You should be able to do that. You basically have to overload the PVN client pool to the inside ip address of 10.20.1.1. Assuming the interface the VPN clients connect to is fa0/0 and the interface fa0/1 has ip address of 10.20.1.1. Also, i am guessing you already have ip nat inside on fa0/1 and ip nat outside on fa0/0.

So you will need the following:

ip access-list extended VPN

permit ip 10.1.1.0 0.0.0.255 host 10.30.1.30

ip nat outside source list VPN interface fa0/1 overload.

Hope this helps. Let me know how it goes!

Thanks and Regards,

Prapanch

0 Helpful

alex.brown
Level 1
Level 1
In response to praprama

‎09-23-2010 11:29 PM

Prapanch,

Thank you for your response.  Basically, all of your assumptions are correct.  The external interface is FastEthernet0 and the internal interface is VLAN1.  I'm not able to type that command on the 1801 router.  I'm only able to type the following:

          ip nat outside source list VPN pool Test

I'm not even given the opiton to use the "interface" option:

          cisco-1801(config)#ip nat outside source list VPN ?
             pool  Name pool of local addresses

          cisco-1801(config)#

I tried using the following to make it work but it didn't work:

          ip nat pool Test 10.20.1.1 10.20.1.1 netmask 255.255.255.0
          ip nat outside source list 108 pool Test

Do you have any other ideas or see anything I'm missing?

Thanks again.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to alex.brown

‎09-24-2010 12:43 AM

Hi Alex,

I would have thought of the same thing. Is it working with that config?

Thanks and Regatrds,

Prapanch

0 Helpful

alex.brown
Level 1
Level 1
In response to praprama

‎09-24-2010 12:47 AM

No.  It's not working with that config.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to alex.brown

‎09-24-2010 01:50 AM

What does your "show access-list 108" look like? Try adding the "overload" keyword at the end and see if it helps.

ip nat outside source list 108 pool Test overload

Also, the below link seems to suggest an add-route keyword at the end of the above command which is necessary for this to work:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents