IPSec tunnel and policy NAT question

Unanswered Question
Jan 11th, 2012
User Badges:

Hello All!

I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:


1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end

2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address


I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.

Here is the configuration

Remote end  crypto interesting ACL:


ip access-list extended crypto-interesting-remote

permit ip host 192.168.1.10 host 10.0.0.10


My end configuration:


interface GigabitEthernet0/0

ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map VPN


ip access-list extended crypto-interesting-local

permit ip host 10.0.0.10 host 192.168.1.10


interface GigabitEthernet0/3

ip address 172.16.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

speed auto


ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)


ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)


ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa

All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?



Any response highly appreciated!

Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ruterford Thu, 01/12/2012 - 08:21
User Badges:

Figured that out.

The problem was in route

ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0


should be next-hop IP address instead of interface gigabitethernet0/0


Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

Actions

This Discussion