Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ipsec vpn behind nat

Hi, I would like to buld a site to siet vpn between 2 routers and behind nat:

172.16.0.0/24

|

|

91.103.32.1/24 (public)

|

|

100.2.3.4/24 (piublic)

|

|

192.168.20.1/24 (private)

I can easily assign a crypto map with 192.168.20.0/24 and peer destination 91.103.32.1 But how do i specify from 91.103.32.1 the peer address destination which is 192.168.20.1 but not directly "routable" because behind nat

Is there a way, a solution to make ipsec tunnels site to site but wit server client, kind of dynamic ipsec tunnel where one of the site initiate the tunnel to the server ...

regards,

alexandre durand

  • Other Security Subjects
3 REPLIES
Gold

Re: ipsec vpn behind nat

just peer with the public IP of each side. if one side changes or is using a nat pool (instead of one to one nat) you will have to use another option, like dynamic crypto maps..

Re: ipsec vpn behind nat

Crypto maps are applied to the "external" interfaces, and peer statements in the crypto maps would reference the far-side "external" interface address.

Crypto ACLs would reference the "internal" network IDs, to identify traffic that requires crypto treatment.

If you are interested in dynamic crypto maps with control over which device initiates tunnel setup, you might want to read up on the "Easy VPN Remote" feature.

There are multiple modes that can be used on the remote side.

New Member

Re: ipsec vpn behind nat

Thank you for you replies there are 2 options either easy vpn client but it requires cisco at the other end ...or that one:

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

here is the cisco url link where u can find further information about it:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

I m gonna test those 2 options

I still don t know how to push acl with easy vpn client and remote mode.

thank you for your advices

regards,

alex

regards,

alex

157
Views
0
Helpful
3
Replies
This widget could not be displayed.