Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ipsec with nat before tunel

we have this issue:

private network-----eth1/0<-----2620----->fasteth0/0-------2600 telco ---- Internet

(192.x.x.x) (195.x.x.x)

fraom the internet the gateway on the other site ist the pix.

we wann to translate the private 192.x.x.x to 10.60.x.x before create tunnel from 2620 to the PIX

the 2620 router have a gateway 195.x.x.x (telco router)

did anybody get some config sample goind in this way or it not possible to do like that ?

Thankls for any help

Alain

9 REPLIES
New Member

Re: ipsec with nat before tunel

[SiteA]

|

| 192.168.0.0/24

| [2620VPN]192.168.0.0 must be translate to 10.60.x.x before Tunel

| .2

| 195.243.x.x

| .1 [2610 telco Router]

|

|

| INTERNET

|

| 213.70.x.x

| .36[Pix535]

|

|

| 10.60.x.x

|

[SiteB]

Cisco Employee

Re: ipsec with nat before tunel

Hi,

Since the traffic hits the nat process before the encryption process, It is possible to NAT the traffic from 192.168.x.x to a 10.60.x.x and then encrypt the 10.60.x.x to the remote peer. And you can find a similar config in the URL below:

http://www.cisco.com/warp/public/707/same-ip.html

And now comes the interesting part, from your diagram you are setting up an ipsec tunnel between a Router and a Pix and you are trying to NAT the 192.168.x.x. to 10.60.x.x.

If you are going to do this, then according to your diagram you will have duplicate subnets on both the sides and you cannot set up an IPSec tunnel when you duplicate subnets.

I guess, you wanted to NAT the 10.60.x.x to 192.168.x.x and then encrypt the 192.168.x.x to 10.60.x.x.

Regards,

Arul

New Member

Re: ipsec with nat before tunel

sorry Arul,

i do a mistake on my diagram, it is normaly loocking like tkis:

LAN1 |---192.168.0.x---(2620)--195.243.x.x----(2610 telco Router)---

INTERNET -------213.70.x.x---PIX535----LAN1--10.61.x.x

bihing the pix is a 10.61.x.x not a 10.60.x.x

please could you tell me or give me a config example how to nat the 192.68.x.x to 10.60.x.x before starting tunnel ?

Thanks

Alain

Cisco Employee

Re: ipsec with nat before tunel

Hi Alain,

Thanks for the clarification. You can pretty much follow the URL that I had posted earlier.

And in your case, the NAT statement will most probably look like:

ip nat inside source static network 192.168.0.0 10.60.0.0 /16 no-alias

And your access-list for the IPSec Lan to Lan tunnel on the router will look like:

access-list 100 permit ip 10.60.0.0 0.0.255.255 10.61.0.0 0.0.255.255

The above lines are only part of the config and you need to make sure that you apply the NAT inside and nat outside to the interfaces and also do the necessary ipsec configurations.

Regards,

Arul

New Member

Re: ipsec with nat before tunel

Thanks Arul,

i will try it and give you a feedback

Best regards

Alain

New Member

Re: ipsec with nat before tunel

Hello Arul,

I setup a test today with my laptop using a range 192.168.0.3 on my laptop and ping from my laptop to 10.61.10.135 no ping response but the tunnel goes up with Q-idle

the problem is why i dit not get an ping response back ?

the config look like this:

interface FastEthernet0/0

ip address 192.168.0.251 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Ethernet1/0

ip address 195.244.59.144 255.255.255.248

ip nat outside

no ip route-cache

no ip mroute-cache

crypto map blabla

!

ip nat inside source static network 192.168.0.0 10.60.11.0 /24 no-alias

ip classless

ip route 0.0.0.0 0.0.0.0 195.244.59.143

no ip http server

!

access-list 100 permit ip 10.60.11.0 0.0.0.255 host 10.61.10.135

access-list 100 permit ip 10.60.11.0 0.0.0.255 host 10.61.30.130

i think that the router will not know the retour way on the ping ?

thanks for any help

Cisco Employee

Re: ipsec with nat before tunel

Hi Alain,

If your tunnel comes up , then that means the traffic triggered the access-list which implies, the traffic was natted.

If you do a " sh cry ipsec sa", what do you see for packets encrypts and decrypts. If you see encrypts and no decrypts, then check on the remote side to what is going on.

If you see decrypts and no encrypts, then possibly the host does not know where to send the packets for the 10.60.11.0.

Make sure that the host 10.61.10.135 knows where to send the packets for 10.60.11.0 and also check if the host 10.61.10.135 is getting NATed somewhere.

Regards,

Arul

New Member

Re: ipsec with nat before tunel

Hello Arul,

thanks for your replay

a) If your tunnel comes up , then that means the traffic triggered the access-list which implies, the traffic was natted.

OK

b) If you do a " sh cry ipsec sa", what do you see for packets encrypts and decrypts. If you see encrypts and no decrypts, then check on the remote side to what is going on.

there where 10 packets encrypted but 0 decrypted , I don´t know may be icmp is not a good protocol for this test. I thing packet (icmp) will come back only to the 10.60.11.0 , the proble is how to tell the router that thid packet should go to 192.168.x.x Net ?

c) If you see decrypts and no encrypts, then possibly the host does not know where to send the packets for the 10.60.11.0.

see only encrypted packets

c) Make sure that the host 10.61.10.135 knows where to send the packets for 10.60.11.0 and also check if the host 10.61.10.135 is getting NATed somewhere.

No , because i have olso have configure many VPN Tunnel site to site with the same gateway and all works without prob. The scenario is the same the only difference is the NAT configuration.

The scenario is direct site to site from 10.60.x. to 10.61.0.0 ( x= 1 to 10) all works without prob

the 192.168.0.0 is not a really branch office for my customer it is a partner and the customer don´t wannt to have 192.168.x.x him Private NET (10.61.x.x)

Regards,

Alain

New Member

Re: ipsec with nat before tunel

Helo Arul

dit you have any response to my last email?

HAPPY NEW YEAR

Alain

126
Views
4
Helpful
9
Replies
CreatePlease to create content