TO nat public ip in vpn

Unanswered Question
Mar 1st, 2012

Hi All,

I need to set up site to site tunnel as my  lan range is geeting conflict with far end.

we usually do nonat while configuring vpn.Now i need to nat the lan

assume my lan ip -10.10.x.x.

Public ip -----202.x.x.x.

can anyone send me the docuemts

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
vschivuk Thu, 03/01/2012 - 20:13

Hi Prashant,

You should nat your lan subnet to a unused IP range and then use that natted IP range in the crypto access-list.

Example :  If your lan is 10.10.10.0/24 and the remote subnet 20.20.20.0/24. 20.20.20.0/24 is again natted ip of the remote overlapping subnet (10.10.10.0/24)

nat to a unsed subnet say 11.11.11.0/24

static (inside,outside) 11.11.11.0 10.10.10.0 netmask 255.255.255.0

use the natted subnet in the crypto-accesslist

access-list crypto-acl extended permit ip 11.11.11.0 255.255.255.0 20.20.20.0 255.255.255.0

Do the same at remote end as well.

hope this is helpful.

Narayana

prashantrecon Thu, 03/01/2012 - 22:12

So i need to nat my lan with public ip and  used that public ip in interseting traffic.

so what the nonat statement

vschivuk Thu, 03/01/2012 - 22:26

Not  to public IP. Nat it to some private Ip range which is not used in your network or remote network.

You do not need nonat statement as you are natting the traffic.

prashantrecon Thu, 03/01/2012 - 22:32

Hi Narayana

The think is all the private ip are geeting conflict so i need to nat with public ip

vschivuk Thu, 03/01/2012 - 22:40

Hi Prashant,

Then try natting to some public IP range and use that in the crypto access-list.

prashantrecon Fri, 03/02/2012 - 00:50

Hi

Below is the interseting traffic which we have configured with nonat

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nonat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nonat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

Now due to some conflict i am natting my lan range with public ip as below and i will remove nonat statement does this config works

static (inside,outside) 202.x.x.x 172.x.x.x netmask 255.255.255.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-group  outside_3_cryptomap in interface outside

vschivuk Fri, 03/02/2012 - 07:27

Hi Prashant,

Please configure nat as below :

access-list nat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

static (inside,outside) 202.x.x.x access-list nat

The crypto map access-list should contain the natted IP.

access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

Crypto access-list is only to identify the traffic to be tunnelled through VPN and so you need not apply it on outside interface. So you do not need the following line :

access-group  outside_3_cryptomap in interface outside

And you should apply it in the crypto map

crypto map match address outside_3_cryptomap

Narayana

prashantrecon Sat, 03/03/2012 - 00:07

Hi Narayana,

Is access-group nat in interface outside is required or not ? Can u explain me

vschivuk Sun, 03/04/2012 - 17:49

Hi Prashant,

You do not require access-group command in this VPN setup. Access-group command is used to apply access-list on an interface. And access-lists are for traffic that goes through the device. In VPN, as the traffic gets tunnelled, you do not need that statement.

So access-group nat command is not required.

Narayana

Actions

Login or Register to take actions

This Discussion

Posted March 1, 2012 at 6:18 AM
Stats:
Replies:11 Avg. Rating:4
Views:438 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,866
2 6,140
3 3,170
4 1,473
5 1,446