we have this issue:
private network-----eth1/0<-----2620----->fasteth0/0-------2600 telco ---- Internet
fraom the internet the gateway on the other site ist the pix.
we wann to translate the private 192.x.x.x to 10.60.x.x before create tunnel from 2620 to the PIX
the 2620 router have a gateway 195.x.x.x (telco router)
did anybody get some config sample goind in this way or it not possible to do like that ?
Thankls for any help
| [2620VPN]192.168.0.0 must be translate to 10.60.x.x before Tunel
| .1 [2610 telco Router]
Since the traffic hits the nat process before the encryption process, It is possible to NAT the traffic from 192.168.x.x to a 10.60.x.x and then encrypt the 10.60.x.x to the remote peer. And you can find a similar config in the URL below:
And now comes the interesting part, from your diagram you are setting up an ipsec tunnel between a Router and a Pix and you are trying to NAT the 192.168.x.x. to 10.60.x.x.
If you are going to do this, then according to your diagram you will have duplicate subnets on both the sides and you cannot set up an IPSec tunnel when you duplicate subnets.
I guess, you wanted to NAT the 10.60.x.x to 192.168.x.x and then encrypt the 192.168.x.x to 10.60.x.x.
i do a mistake on my diagram, it is normaly loocking like tkis:
LAN1 |---192.168.0.x---(2620)--195.243.x.x----(2610 telco Router)---
bihing the pix is a 10.61.x.x not a 10.60.x.x
please could you tell me or give me a config example how to nat the 192.68.x.x to 10.60.x.x before starting tunnel ?
Thanks for the clarification. You can pretty much follow the URL that I had posted earlier.
And in your case, the NAT statement will most probably look like:
ip nat inside source static network 192.168.0.0 10.60.0.0 /16 no-alias
And your access-list for the IPSec Lan to Lan tunnel on the router will look like:
access-list 100 permit ip 10.60.0.0 0.0.255.255 10.61.0.0 0.0.255.255
The above lines are only part of the config and you need to make sure that you apply the NAT inside and nat outside to the interfaces and also do the necessary ipsec configurations.
I setup a test today with my laptop using a range 192.168.0.3 on my laptop and ping from my laptop to 10.61.10.135 no ping response but the tunnel goes up with Q-idle
the problem is why i dit not get an ping response back ?
the config look like this:
ip address 192.168.0.251 255.255.255.0
ip nat inside
ip address 188.8.131.52 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map blabla
ip nat inside source static network 192.168.0.0 10.60.11.0 /24 no-alias
ip route 0.0.0.0 0.0.0.0 184.108.40.206
no ip http server
access-list 100 permit ip 10.60.11.0 0.0.0.255 host 10.61.10.135
access-list 100 permit ip 10.60.11.0 0.0.0.255 host 10.61.30.130
i think that the router will not know the retour way on the ping ?
thanks for any help
If your tunnel comes up , then that means the traffic triggered the access-list which implies, the traffic was natted.
If you do a " sh cry ipsec sa", what do you see for packets encrypts and decrypts. If you see encrypts and no decrypts, then check on the remote side to what is going on.
If you see decrypts and no encrypts, then possibly the host does not know where to send the packets for the 10.60.11.0.
Make sure that the host 10.61.10.135 knows where to send the packets for 10.60.11.0 and also check if the host 10.61.10.135 is getting NATed somewhere.
thanks for your replay
a) If your tunnel comes up , then that means the traffic triggered the access-list which implies, the traffic was natted.
b) If you do a " sh cry ipsec sa", what do you see for packets encrypts and decrypts. If you see encrypts and no decrypts, then check on the remote side to what is going on.
there where 10 packets encrypted but 0 decrypted , I don´t know may be icmp is not a good protocol for this test. I thing packet (icmp) will come back only to the 10.60.11.0 , the proble is how to tell the router that thid packet should go to 192.168.x.x Net ?
c) If you see decrypts and no encrypts, then possibly the host does not know where to send the packets for the 10.60.11.0.
see only encrypted packets
c) Make sure that the host 10.61.10.135 knows where to send the packets for 10.60.11.0 and also check if the host 10.61.10.135 is getting NATed somewhere.
No , because i have olso have configure many VPN Tunnel site to site with the same gateway and all works without prob. The scenario is the same the only difference is the NAT configuration.
The scenario is direct site to site from 10.60.x. to 10.61.0.0 ( x= 1 to 10) all works without prob
the 192.168.0.0 is not a really branch office for my customer it is a partner and the customer don´t wannt to have 192.168.x.x him Private NET (10.61.x.x)