12-14-2002 02:44 AM - edited 02-21-2020 12:14 PM
we have this issue:
private network-----eth1/0<-----2620----->fasteth0/0-------2600 telco ---- Internet
(192.x.x.x) (195.x.x.x)
fraom the internet the gateway on the other site ist the pix.
we wann to translate the private 192.x.x.x to 10.60.x.x before create tunnel from 2620 to the PIX
the 2620 router have a gateway 195.x.x.x (telco router)
did anybody get some config sample goind in this way or it not possible to do like that ?
Thankls for any help
Alain
12-14-2002 02:11 PM
[SiteA]
|
| 192.168.0.0/24
| [2620VPN]192.168.0.0 must be translate to 10.60.x.x before Tunel
| .2
| 195.243.x.x
| .1 [2610 telco Router]
|
|
| INTERNET
|
| 213.70.x.x
| .36[Pix535]
|
|
| 10.60.x.x
|
[SiteB]
12-14-2002 03:12 PM
Hi,
Since the traffic hits the nat process before the encryption process, It is possible to NAT the traffic from 192.168.x.x to a 10.60.x.x and then encrypt the 10.60.x.x to the remote peer. And you can find a similar config in the URL below:
http://www.cisco.com/warp/public/707/same-ip.html
And now comes the interesting part, from your diagram you are setting up an ipsec tunnel between a Router and a Pix and you are trying to NAT the 192.168.x.x. to 10.60.x.x.
If you are going to do this, then according to your diagram you will have duplicate subnets on both the sides and you cannot set up an IPSec tunnel when you duplicate subnets.
I guess, you wanted to NAT the 10.60.x.x to 192.168.x.x and then encrypt the 192.168.x.x to 10.60.x.x.
Regards,
Arul
12-15-2002 01:10 AM
sorry Arul,
i do a mistake on my diagram, it is normaly loocking like tkis:
LAN1 |---192.168.0.x---(2620)--195.243.x.x----(2610 telco Router)---
INTERNET -------213.70.x.x---PIX535----LAN1--10.61.x.x
bihing the pix is a 10.61.x.x not a 10.60.x.x
please could you tell me or give me a config example how to nat the 192.68.x.x to 10.60.x.x before starting tunnel ?
Thanks
Alain
12-15-2002 01:29 AM
Hi Alain,
Thanks for the clarification. You can pretty much follow the URL that I had posted earlier.
And in your case, the NAT statement will most probably look like:
ip nat inside source static network 192.168.0.0 10.60.0.0 /16 no-alias
And your access-list for the IPSec Lan to Lan tunnel on the router will look like:
access-list 100 permit ip 10.60.0.0 0.0.255.255 10.61.0.0 0.0.255.255
The above lines are only part of the config and you need to make sure that you apply the NAT inside and nat outside to the interfaces and also do the necessary ipsec configurations.
Regards,
Arul
12-15-2002 11:41 AM
Thanks Arul,
i will try it and give you a feedback
Best regards
Alain
12-19-2002 04:23 AM
Hello Arul,
I setup a test today with my laptop using a range 192.168.0.3 on my laptop and ping from my laptop to 10.61.10.135 no ping response but the tunnel goes up with Q-idle
the problem is why i dit not get an ping response back ?
the config look like this:
interface FastEthernet0/0
ip address 192.168.0.251 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Ethernet1/0
ip address 195.244.59.144 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map blabla
!
ip nat inside source static network 192.168.0.0 10.60.11.0 /24 no-alias
ip classless
ip route 0.0.0.0 0.0.0.0 195.244.59.143
no ip http server
!
access-list 100 permit ip 10.60.11.0 0.0.0.255 host 10.61.10.135
access-list 100 permit ip 10.60.11.0 0.0.0.255 host 10.61.30.130
i think that the router will not know the retour way on the ping ?
thanks for any help
12-19-2002 03:18 PM
Hi Alain,
If your tunnel comes up , then that means the traffic triggered the access-list which implies, the traffic was natted.
If you do a " sh cry ipsec sa", what do you see for packets encrypts and decrypts. If you see encrypts and no decrypts, then check on the remote side to what is going on.
If you see decrypts and no encrypts, then possibly the host does not know where to send the packets for the 10.60.11.0.
Make sure that the host 10.61.10.135 knows where to send the packets for 10.60.11.0 and also check if the host 10.61.10.135 is getting NATed somewhere.
Regards,
Arul
12-20-2002 07:11 AM
Hello Arul,
thanks for your replay
a) If your tunnel comes up , then that means the traffic triggered the access-list which implies, the traffic was natted.
OK
b) If you do a " sh cry ipsec sa", what do you see for packets encrypts and decrypts. If you see encrypts and no decrypts, then check on the remote side to what is going on.
there where 10 packets encrypted but 0 decrypted , I don´t know may be icmp is not a good protocol for this test. I thing packet (icmp) will come back only to the 10.60.11.0 , the proble is how to tell the router that thid packet should go to 192.168.x.x Net ?
c) If you see decrypts and no encrypts, then possibly the host does not know where to send the packets for the 10.60.11.0.
see only encrypted packets
c) Make sure that the host 10.61.10.135 knows where to send the packets for 10.60.11.0 and also check if the host 10.61.10.135 is getting NATed somewhere.
No , because i have olso have configure many VPN Tunnel site to site with the same gateway and all works without prob. The scenario is the same the only difference is the NAT configuration.
The scenario is direct site to site from 10.60.x. to 10.61.0.0 ( x= 1 to 10) all works without prob
the 192.168.0.0 is not a really branch office for my customer it is a partner and the customer don´t wannt to have 192.168.x.x him Private NET (10.61.x.x)
Regards,
Alain
12-31-2002 08:43 AM
Helo Arul
dit you have any response to my last email?
HAPPY NEW YEAR
Alain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: