Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

policy nat

HI all,

I have firewall to that  2 router are. connected .On firewall 4 sites to site vpn are created for paricular valn range say 192..168.30.0/24

on router1  the ip is as

int fa0/01-  wan link

ip address

int fa0/0

ip address 124.x..x.5-inside interface.

on firewall

int gi0/1- 0utside interface

ip addres 124..x.x.6

int gi0/0-insideinterface

ip address 172.18.x.x

On the firewall all the vpn are configured and natting is done.

My requirement is now all the vpn should be configured on router 2 but lan range should be natted on same firewall.

on secound router ip are as follows

int fa0/1

ip address link

int fa0/0

ip address 124.x.x.7

Assuming I  have deleted tunnels on firewall and created on router 2

Now on firewall i have done policy nat

nat(inside) 1 access-list test

global(outside) 1 124.x.x.8

access-list test permit ip object-group lanip object-group farendip

object-group network lanip


object-group network farendip  (tunnel peer ip)-

network-object host

network-object host

network-object host

network -object host

on firewall i have given the route outside 124.x..x.8 124.x.x.7

I have few question regarding above config

1) Does the config is correct does it work once i create tunnels on router 2?

2)  Is it possible for same lan range to configure some tunnel on firewall and some on secound router?

Everyone's tags (3)

policy nat

Hi Bro

Please don’t take this the wrong way, but could you get a colleague of yours to write the problem description, in the near future. This is because I’m trying very hard to understand your problem here and assist you further. No worries bro, you rock :-)

Please do correct me if I’m wrong. What you’re trying to achieve here is, from all 4 of your remote sites, you want to have redundant IPSEC VPN Tunnels i.e. Primary VPN Tunnel to Cisco Router#2 and Secondary VPN Tunnel to the Cisco Firewall. If yes, then this setup cannot be achieved. In other words, it’s not possible for the same remote sites LAN network address to coexist in both the equipment’s.

Here’s what I would suggest you to do. Make both your Cisco Router#1 and Cisco Router#2 as the VPN Servers running on Cisco DMVPN. With this setup, all 4 of your remote sites will have 2 GRE over IPSEC ACTIVE/ACTIVE VPN tunnels to your HQ, and the redundancy would be seamless.

With this setup, all LAN users behind the Cisco Firewall 172.18.XXX.XXX will still be able to access the Internet and all 4 of your remote sites. Your Cisco Firewall will then be doing pure Firewalling.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department

policy nat

Hi Prashanth,

You have 2 Internet/WAN links terminated in the single firewall right???

Already you are running  S2S vpns in your firewall with isp 1. Now if you connect your ISP 2 on the same firewall you want to use the same lan ranges to have the S2S vpn connected to a different Clients.....

Yes you can do that. But i feel firewall will not do much routing.  So that is not the best idea.

LAN ip usage for different purpose can be done. Make sure that you need a specific route to connect with the client as well.

route outside1 124.x.x.8 like this for all the destination vpn site peers as well. This will make complex but it will work.

Please do rate if the given info helps.