TO nat public ip in vpn

prashantrecon · ‎03-01-2012

Hi All,

I need to set up site to site tunnel as my lan range is geeting conflict with far end.

we usually do nonat while configuring vpn.Now i need to nat the lan

assume my lan ip -10.10.x.x.

Public ip -----202.x.x.x.

can anyone send me the docuemts

V S Narayana Chivukula · ‎03-01-2012

Hi Prashant,

You should nat your lan subnet to a unused IP range and then use that natted IP range in the crypto access-list.

Example : If your lan is 10.10.10.0/24 and the remote subnet 20.20.20.0/24. 20.20.20.0/24 is again natted ip of the remote overlapping subnet (10.10.10.0/24)

nat to a unsed subnet say 11.11.11.0/24

static (inside,outside) 11.11.11.0 10.10.10.0 netmask 255.255.255.0

use the natted subnet in the crypto-accesslist

access-list crypto-acl extended permit ip 11.11.11.0 255.255.255.0 20.20.20.0 255.255.255.0

Do the same at remote end as well.

hope this is helpful.

Narayana

prashantrecon · ‎03-01-2012

So i need to nat my lan with public ip and used that public ip in interseting traffic.

so what the nonat statement

V S Narayana Chivukula · ‎03-01-2012

Not to public IP. Nat it to some private Ip range which is not used in your network or remote network.

You do not need nonat statement as you are natting the traffic.

prashantrecon · ‎03-01-2012

Hi Narayana

The think is all the private ip are geeting conflict so i need to nat with public ip

V S Narayana Chivukula · ‎03-01-2012

Hi Prashant,

Then try natting to some public IP range and use that in the crypto access-list.

prashantrecon · ‎03-02-2012

Hi

Below is the interseting traffic which we have configured with nonat

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nonat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nonat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

Now due to some conflict i am natting my lan range with public ip as below and i will remove nonat statement does this config works

static (inside,outside) 202.x.x.x 172.x.x.x netmask 255.255.255.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-group outside_3_cryptomap in interface outside

V S Narayana Chivukula · ‎03-02-2012

Hi Prashant,

Please configure nat as below :

access-list nat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

static (inside,outside) 202.x.x.x access-list nat

The crypto map access-list should contain the natted IP.

access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

Crypto access-list is only to identify the traffic to be tunnelled through VPN and so you need not apply it on outside interface. So you do not need the following line :

access-group outside_3_cryptomap in interface outside

And you should apply it in the crypto map

crypto map match address outside_3_cryptomap

Narayana

prashantrecon · ‎03-02-2012

Thanks

prashantrecon · ‎03-03-2012

Hi Narayana,

Is access-group nat in interface outside is required or not ? Can u explain me

V S Narayana Chivukula · ‎03-04-2012

Hi Prashant,

You do not require access-group command in this VPN setup. Access-group command is used to apply access-list on an interface. And access-lists are for traffic that goes through the device. In VPN, as the traffic gets tunnelled, you do not need that statement.

So access-group nat command is not required.

Narayana

prashantrecon · ‎03-04-2012

Thank you