Can I replace both src and dst ip with policy nat, into VPN?
I want to setup a L2L-tunnel to a third party. Because of their and our requirements I want to do NAT of both our addresses and theirs in our end. Is that possible?
I'll explain further in attached topology. I have local clients addressed 172.30.30.81-94 that needs to access equipment in the remote end with real IP:s 10.5.10.11-15. However, I want to access these 5 IP:s by addressing them 192.168.7.10,11,20,21,22. Also, my source traffic shouldnt be visible to remote end, I want them to see me as 10.250.192.193-206.
I am trying to do setups like these:
object-group network VPN-COMPANY_localip_real
network-object 172.30.30.80 255.255.255.240
object-group network VPN-COMPANY_localip_nat
network-object 10.250.192.192 255.255.255.240
object-group network VPN-COMPANY_remoteip_real
network-object host 10.5.10.11
network-object host 10.5.10.12
network-object host 10.5.10.13
network-object host 10.5.10.14
network-object host 10.5.10.15
object-group network VPN-COMPANY_remoteip_nat
network-object host 192.168.7.10
network-object host 192.168.7.11
network-object host 192.168.7.20
network-object host 192.168.7.21
network-object host 192.168.7.22
One per source address:
access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_nat
access-list VPN-COMPANY_static_193 extended permit ip host 172.30.30.81 object-group VPN-COMPANY_remoteip_real
As for your access-list and statics for the destination address, you don't need them because they have already been taken care of with the first static statements in my post.
Note - that because you are translating 192.168.7.x to 10.0.5.x addressing i'm assuming you don't need to do conditional NAT as you have to do with your source addressing because nothing will try to get 192.168.7.x unless it is via the VPN tunnel.
If i have assumed wrongly you will need to modify the first set of static statements with acls.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :