07-01-2002 12:05 AM - edited 02-21-2020 11:50 AM
I'm now in a company doing my thesis on VPN.
I have to implement VPN between them and some customers.
Site description:
*we have a central site (cisco router) using private IP=10.10.0.0/16 and access to internet with a permanent line and using NAT overload over one public address.
*All the custumer have the same IP plan with unique public IP address and NAT using private address IP:172.20.0.0/16
Problem:
I have already implement a site-2-site VPN using GRE for one of their customer, but when i want to do the second custumer i have a problem.
As each customer have the same IP plan with NAT (172.20.0.0), i have a problem of unicity.
So with the first customer (using tunnel0 for the VPN), the route from
our router is: ip route 172.20.0.0 255.255.0.0 tunnel 0
when i want to do the second customer (using tunnel1), the route will
be: ip route 172.20.0.0 255.255.0.0 tunnel 1
This is not possible because i'll have two times 172.20.0.0 in the
routing table
How can i implement a such system?
Is it possible to implement a NAT process to generate the unicity (one unique subnet between each custumers) while keeping 172.20.0.0/16 everywhere and how could this NAT cohabitate with the existing NAT ?
Does anyone have an idea???
Thanks in Advance
Nicolas
07-01-2002 02:56 PM
Routing will not work if all of your remote sites all using overlapped network 172.20.0.0/16
So you need do policy natting in all the remote sites.
Site A: put "ip nat outside" in the GRE tunnel interface, translate 172.20.0.0/16 to 172.21.0.0/16
SiteB: put "ip nat outside" in the GRE tunnel interface, translate 172.20.0.0/16 to 172.22.0.0/16
For other remote sites, the same story and so on.
After that, in the concentral office, you can control the routing easily:
ip route 172.21.0.0 255.255.0.0 tunnel 0
ip route 172.22.0.0 255.255.0.0 tunnel 1
ip route 172.23.0.0 255.255.0.0 tunnel 2
And So on....
07-01-2002 10:28 PM
Ok,
I was also thinking doing something like that,
but how this NAT translation (172.20.0.0/16 to 172.2x.0.0/16) can co-exist with the actual NAT overload for internet access.
Do i have to use specific command? (like static route map for example)
Here the detail of the site:
MainSite¦
¦
¦IP Public
¦NAT overload
¦
¦
INTERNET---------------------Customer1 (172.20.0.0/16)--------ISDN(172.16.x.0/8)
¦.........................IP Public
¦......................NAT Overload
¦
¦IP Public
¦NAT overload
¦
¦
Customer2 (172.20.0.0/16)
¦
¦
¦
¦
ISDN(172.16.x.0/8)
Here a sample of my configuration:
A) Configuration of main site (fragment)
sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-DO3S-M), Version 12.2(3), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Wed 18-Jul-01 21:03 by pwade
Image text-base: 0x600089A8, data-base: 0x612E0000
ROM: System Bootstrap, Version 11.1(7)AX [kuong (7)AX], EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
DGE_Router uptime is 7 weeks, 1 day, 22 hours, 5 minutes
System returned to ROM by reload at 15:08:29 UTC Sun Apr 14 2002
System restarted at 15:09:32 UTC Sun Apr 14 2002
System image file is "flash:c3640-do3s-mz.122-3.bin"
cisco 3640 (R4700) processor (revision 0x00) with 60416K/5120K bytes of memory.
Processor board ID 05169889
R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
MICA-6DM Firmware: CP ver 2730 - 5/23/2001, SP ver 2730 - 5/23/2001.
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
Basic Rate ISDN software, Version 1.1.
4 Ethernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
4 ISDN Basic Rate interface(s)
6 terminal line(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
DGE_Router#sh run
Building configuration...
Current configuration : 11015 bytes
!
! Last configuration change at 08:18:11 UTC Tue Jun 4 2002
! NVRAM config last updated at 08:18:13 UTC Tue Jun 4 2002
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
service udp-small-servers
service tcp-small-servers
!
hostname DGE_Router
!
logging buffered 4096 debugging
enable secret 5 ...
enable password ...
!
username ...
modem country mica switzerland
ip subnet-zero
!
!
ip host proxy-dge 195.65.51.89
ip host mail.duplirex.ch 195.65.51.90
ip host PC171 195.65.51.93
ip host PC128 195.65.51.94
ip host telco 195.65.51.95
ip host horus 195.65.51.91
ip host di.devillard.ch 195.65.51.91
ip host mail.devillard.ch 195.65.51.95
ip name-server 164.128.36.34
!
ip multicast-routing
ip inspect name INTERNET http java-list 20
ip inspect name INTERNET udp
ip inspect name INTERNET tcp
ip inspect name INTERNET ftp
ip inspect name INTERNET tftp
ip audit attack action alarm drop reset
ip audit notify log
ip audit po max-events 100
ip audit name AUDITIE info action alarm
ip audit name AUDITIE attack action alarm drop reset
ipx routing 0060.8339.4e21
isdn switch-type basic-net3
call rsvp-sync
!
!
interface Ethernet0/0
description LAN preparation client MBNET
ip address 172.20.4.2 255.255.0.0
ip nat inside
half-duplex
ipx encapsulation SAP
ipx network 20
no cdp enable
!
interface Serial0/0
description DGE-DVD rented line
ip address 10.200.4.1 255.255.0.0
ip pim dense-mode
ipx network 10000200
no cdp enable
!
interface Ethernet0/1
description DGE Backbone
ip address 10.10.4.1 255.255.0.0
ip accounting output-packets
ip nat inside
ip pim dense-mode
full-duplex
ipx encapsulation SAP
ipx network 10000010
!
interface Ethernet1/0
description EXPO network
ip address 10.11.4.1 255.255.0.0
ip nat inside
ip pim dense-mode
half-duplex
!
interface Serial1/0
description Permanent Internet access to Swisscom IP-PLUS
ip address 164.128.74.150 255.255.255.252
ip access-group IAIN in
ip access-group IAOUT out
ip nat outside
ip inspect INTERNET out
ip audit AUDITIE in
no cdp enable
!
interface Ethernet1/1
no ip address
ip nat inside
shutdown
!
interface BRI2/0
no ip address
shutdown
isdn switch-type basic-net3
no fair-queue
no cdp enable
!
interface BRI2/1
description access inside DSA's network from outside
ip address 172.16...
ip nat inside
encapsulation ppp
no ip mroute-cache
dialer idle-timeout 180
dialer-group 5
ipx network 7
isdn switch-type basic-net3
isdn caller 0227570864
isdn answer1 4171
compress mppc
no cdp enable
ppp authentication chap ms-chap pap callin
ppp ipcp dns 10.10.2.2
ppp multilink
!
interface BRI2/2
description remote access to DSA customers
no ip address
encapsulation ppp
dialer pool-member 3
isdn switch-type basic-net3
isdn answer1 ...
no cdp enable
!
interface BRI2/3
description Incoming call Analog or V.110
no ip address
isdn switch-type basic-net3
isdn caller ...
isdn incoming-voice modem 64
isdn answer1 4168
no cdp enable
!
interface Async97
ip address 172.16.13.10 255.255.255.0
ip nat inside
encapsulation ppp
ip tcp header-compression passive
no ip mroute-cache
async mode interactive
peer default ip address pool analog
ppp authentication chap ms-chap callin
ppp ipcp dns 10.10.2.2
!
interface Async98
ip address 172.16.13.11 255.255.255.0
ip nat inside
encapsulation ppp
async mode interactive
peer default ip address pool analog
ppp authentication chap ms-chap callin
ppp ipcp dns 10.10.2.2
!
interface Dialer1
no ip address
no cdp enable
!
interface Dialer2
description RCN
no ip address
ip nat inside
encapsulation ppp
dialer pool 2
dialer remote-name mbsa
dialer-group 2
no cdp enable
!
!
ip local pool analog 172.16.13.1 172.16.13.6
ip nat translation timeout 1200
ip nat pool internet 195.65.51.66 195.65.51.85 netmask 255.255.255.224
ip nat inside source list IANAT pool internet
ip nat inside source static 164.128.74.150 164.128.74.150
ip nat inside source static 10.10.2.3 195.65.51.91
ip nat inside source static 10.10.2.2 195.65.51.95
ip nat inside source static 172.20.2.1 195.65.51.90
ip nat inside source static 10.10.10.128 195.65.51.94
ip nat inside source static 10.10.10.171 195.65.51.93
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 10.20.0.0 255.255.0.0 Serial0/0
ip route 10.30.0.0 255.255.0.0 Serial0/0
ip route 172.16.6.0 255.255.255.0 Serial0/0
no ip http server
!
!
ip access-list extended DSARAIN
permit ip any any
ip access-list extended IAIN
remark Control Access from Internet (input)
permit icmp any host 164.128.74.150
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any host-unreachable
permit icmp any any host-unknown
permit icmp any any time-exceeded
permit udp any any eq ntp log
permit tcp any host 195.65.51.95 eq smtp
permit tcp any host 195.65.51.95 eq pop3
permit tcp any host 195.65.51.95 eq 143
permit tcp any host 195.65.51.90 eq www
permit tcp any host 195.65.51.90 eq smtp
permit tcp any host 195.65.51.90 eq 465
permit tcp any host 195.65.51.90 eq pop3
permit tcp any host 195.65.51.90 eq 143
permit tcp any host 195.65.51.90 eq 993
permit tcp any host 195.65.51.90 eq 389
permit tcp any host 195.65.51.90 eq 636
permit tcp any host 195.65.51.91 eq smtp
permit tcp any host 195.65.51.91 eq 465
permit tcp any host 195.65.51.91 eq 993
permit tcp any host 195.65.51.91 eq 447
permit tcp any host 195.65.51.91 eq 444
permit udp host 164.128.36.34 host 164.128.74.150
deny ip any any
ip access-list extended IANAT
remark Control NAT for Internet Access
deny ip 195.65.51.64 0.0.0.31 any
deny ip 164.128.74.0 0.0.0.255 any
permit ip host 10.10.2.2 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 10.10.15.0 0.0.0.255 any
permit ip 10.10.16.0 0.0.0.255 any
permit ip 10.10.18.0 0.0.0.255 any
permit ip 10.10.96.0 0.0.0.255 any
permit ip 172.16.7.0 0.0.0.255 any
permit ip 172.16.13.0 0.0.0.255 any
permit ip 172.20.0.0 0.0.255.255 any
deny ip any any log
ip access-list extended IAOUT
remark Control Access to Internet (output)
deny ip 10.0.0.0 0.255.255.255 any
permit icmp 195.65.51.64 0.0.0.31 any
permit ip host 195.65.51.95 any
permit ip host 195.65.51.90 any
permit ip host 195.65.51.91 any
permit ip host 195.65.51.93 any
permit ip host 195.65.51.94 any
permit udp host 195.65.51.95 eq domain any eq domain
permit udp any host 164.128.36.34 eq domain
permit udp any host 164.128.76.39 eq domain
permit udp any any eq 5632
permit tcp any any eq 5631
permit tcp any any eq 2200
permit tcp any any eq telnet
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 88
permit tcp any any eq 447
permit tcp any any eq 81
permit tcp any any eq 444
permit tcp any any eq 389
permit tcp any any eq 636
permit tcp any any eq ftp
permit tcp any any eq nntp
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq 143
permit tcp any any eq ftp-data
permit tcp any any eq 8008
permit tcp any any eq 8009
permit tcp any any eq 8080
permit udp any eq ntp any log
deny ip any any log
logging trap debugging
logging source-interface Ethernet0/1
logging 10.10.10.153
access-list 101 permit icmp any any
access-list 101 deny udp any eq rip any
access-list 101 permit ip host 128.127.1.128 any
access-list 101 permit ip host 128.127.1.151 any
access-list 101 permit ip host 128.127.1.147 any
access-list 101 permit ip host 128.127.1.150 any
access-list 101 permit ip host 128.127.10.128 any
access-list 101 deny ip any any log
access-list 2000 permit udp any eq domain any
access-list 2000 permit icmp any any echo-reply
access-list 2000 permit icmp any any time-exceeded
access-list 2000 permit icmp any any packet-too-big
access-list 2000 permit icmp any any traceroute
access-list 2000 permit icmp any any unreachable
access-list 2000 deny tcp any host 195.65.51.95 eq www log
access-list 2000 permit tcp any host 195.65.51.95 eq smtp
access-list 2000 permit tcp any host 195.65.51.95 eq pop3
access-list 2000 permit tcp any eq pop3 any established
access-list 2000 permit tcp any eq smtp any established
access-list 2000 permit tcp any eq ftp any established
access-list 2000 permit tcp any eq www any established
access-list 2000 permit tcp any eq 443 any established
access-list 2000 permit tcp any eq nntp any established
access-list 2000 permit tcp any any
access-list 2000 permit ip any host 195.65.51.94
access-list 2000 permit ip any host 195.65.51.93
access-list 2000 deny ip any any log
access-list 2001 permit icmp any any echo
access-list 2001 permit ip host 195.65.51.94 any
access-list 2001 deny ip any any log
dialer-list 5 protocol ip permit
dialer-list 5 protocol ipx permit
snmp-server community public RO
snmp-server community ipacct RW
snmp-server location local informatique
snmp-server contact Olivier RIEBEN
snmp-server enable traps isdn call-information
snmp-server host 10.10.10.153 public
!
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
line aux 0
exec-timeout 0 0
password mbmb
modem InOut
modem autoconfigure discovery
transport input all
autoselect ppp
speed 1200
flowcontrol hardware
line vty 0 4
password mb
login
!
ntp clock-period 17179956
ntp server 138.195.130.71
ntp server 134.93.132.118
ntp server 129.132.2.21
end
DGE_Router#sh ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
...
10.0.0.0/16 is subnetted, 5 subnets
C 10.10.0.0 is directly connected, Ethernet0/1
C 10.11.0.0 is directly connected, Ethernet1/0
S 10.30.0.0 is directly connected, Serial0/0
S 10.20.0.0 is directly connected, Serial0/0
C 10.200.0.0 is directly connected, Serial0/0
164.128.0.0/30 is subnetted, 1 subnets
C 164.128.74.148 is directly connected, Serial1/0
S* 0.0.0.0/0 is directly connected, Serial1/0
--------------------------------------------------------------------------------------------
B) Typical configuration of subsidiaries (fragment)
sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-NO3SY7-M), Version 12.2(8)T, RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac')">http://www.cisco.com/tac')">http://www.cisco.com/tac')">http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 14-Feb-02 07:05 by ccai
Image text-base: 0x80008108, data-base: 0x80C2F6C4
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
PILLET uptime is 4 weeks, 5 days, 22 hours, 38 minutes
System returned to ROM by power-on
System restarted at 07:33:43 UTC Thu Apr 18 2002
System image file is "flash:c1700-no3sy7-mz.122-8.T.bin"
cisco 1720 (MPC860T) processor (revision 0x501) with 36864K/12288K bytes of memory.
Processor board ID JAD04380325 (1502665828), with hardware revision 0000
MPC860T processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
PILLET#sh run
Building configuration...
Current configuration : 4495 bytes
!
! Last configuration change at 06:05:11 UTC Wed May 22 2002
! NVRAM config last updated at 06:05:13 UTC Wed May 22 2002
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PILLET
!
enable secret 5 ...
enable password ...
!
username ...
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip domain-lookup
ip host telcoPI 195.65.175.187
ip host router 195.65.175.186
ip host ras 195.65.175.188
!
ip inspect name INTERNET tcp
ip inspect name INTERNET udp
ip inspect name INTERNET http java-list 20
ip inspect name INTERNET ftp
ip inspect name INTERNET tftp
ip audit notify log
ip audit po max-events 100
ipx routing 0004.dd0c.5593
isdn switch-type basic-net3
!
!
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
isdn caller ...
isdn answer1 ...
isdn calling-number ...
no cdp enable
ppp authentication chap callin
ppp multilink
!
interface Ethernet0
description LEASED LINE to SwissCom Via LAN ISP IP-PLUS
ip address 195.65.175.186 255.255.255.248
ip access-group IAIN in
ip access-group IAOUT out
ip nat outside
ip inspect INTERNET out
half-duplex
no cdp enable
!
interface FastEthernet0
description LAN Pillet SA
ip address 172.20.4.1 255.255.0.0
ip accounting output-packets
ip nat inside
no ip mroute-cache
speed auto
full-duplex
ipx encapsulation SAP
ipx network DEAD0080
no cdp enable
!
interface Dialer1
description ISP Bluewin
ip address negotiated
ip nat outside
encapsulation ppp
no cdp enable
ppp chap hostname devillardvaud
ppp chap password 7 070222494C03150146
!
interface Dialer11
description Profil Remote Access Devillard SA Maintenance
ip address 172.16.16.11 255.255.255.0
ip nat inside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer idle-timeout 180
dialer-group 6
ipx network DEAD0081
compress mppc
no cdp enable
ppp authentication chap callin
ppp ipcp dns 164.128.36.34
!
ip nat translation timeout 1200
ip nat inside source list IANAT interface Ethernet0 overload
ip nat inside source static 172.20.2.2 195.65.175.187
ip nat inside source static 172.20.10.128 195.65.175.188
ip classless
ip route 0.0.0.0 0.0.0.0 195.65.175.185
no ip http server
ip pim bidir-enable
!
!
ip access-list extended IAIN
remark Control access to Internet (input)
permit icmp any host 195.65.175.186
permit icmp any host 195.65.175.187
permit icmp 195.65.51.64 0.0.0.31 any
permit udp any eq ntp any eq ntp
permit tcp 195.65.51.64 0.0.0.31 host 195.65.175.186
permit udp 195.65.51.64 0.0.0.31 host 195.65.175.186
permit udp 195.65.51.64 0.0.0.31 any eq 5632
permit tcp 195.65.51.64 0.0.0.31 any eq 5631
permit tcp any host 195.65.175.187 eq smtp
permit tcp any host 195.65.175.187 eq 143
permit tcp any host 195.65.175.187 eq ftp
permit tcp 195.65.51.64 0.0.0.31 any eq 8008
permit tcp 195.65.51.64 0.0.0.31 any eq 8009
deny tcp any host 195.65.175.187 gt 2048 log
permit tcp any host 195.65.175.187 gt 1024
deny ip any any log
ip access-list extended IANAT
remark Control access to NAT translation
deny ip 195.65.175.184 0.0.0.7 any
permit ip host 172.20.2.1 any
permit ip host 172.20.2.2 any
permit ip 172.20.10.0 0.0.0.255 any
deny ip any any log
ip access-list extended IAOUT
remark Control access to Internet (output)
permit ip 195.65.175.184 0.0.0.7 any
permit udp any eq 5632 195.65.51.64 0.0.0.31
permit tcp any eq 5631 195.65.51.64 0.0.0.31
deny ip any any log
remark Control access to Internet (output)
remark Control access to Internet (output)
!
logging trap debugging
logging source-interface Ethernet0
logging 172.20.10.128
access-list 20 permit any
access-list 102 permit ip any any
access-list 900 deny sap
access-list 900 deny rip
access-list 900 deny netbios
access-list 900 permit any
dialer-list 1 protocol ip list 102
dialer-list 6 protocol ipx list 900
dialer-list 6 protocol ip list 102
no cdp run
!
!
!
!
snmp-server community ipacct RW
snmp-server location Local Informatique
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password mb
login
!
ntp clock-period 17180011
ntp server 138.195.130.71
ntp server 134.93.132.118
ntp server 129.132.2.21
end
07-02-2002 04:02 AM
"policy natting" means use route map in the nat:
Check the details in following URL:
http://www.cisco.com/warp/customer/707/overload_private.shtml
Tips: route-map policy 10
control the 172.20.x.x translate to 172.21.x.x
route-map policy 20
control the normal 172.20.x.x natting to the internet
I believe you should be able to work out the exact config in your situation.
07-04-2002 01:54 AM
HI i have done a first draft of my configuration but i'm not sure about all the point for route-map
Here is a sample of the config i did.
i'm not sure about it, and it would be nice if you could give me advise with this one
In the main site:
ip route 172.21.0.0 255.255.0.0 tunnel 0
ip route 172.22.0.0 255.255.0.0 tunnel 1
ip route 172.23.0.0 255.255.0.0 tunnel 2
In the first remote site
tunnel 0
description access to man site via GRE tunnel
ip address unnembered
tunnel source 195.x.x.x
tunnel destination 164.x.x.x
tunnel mode gre
ipx network 22xxxxx
ip nat outside
ip policy route-map test
no shutdown
int Eth0
ip address 195.x.x.x 255.255.255.248
ip nat outside
int Fastethernet0
ip address 172.20.0.0 255.255.0.0
ip nat inside
ip nat inside source list IANAT interface Eth0 overload
ip nat inside source route-map test int eth0
ip access-list extended IANAT
!remark control access to NAT translation
deny ip 195.x.x.x 0.0.0.7 any
permit ip 172.20.0.0 0.0.255.255 any
deny ip any any
access-list 102 deny ip 10.10.0.0 0.0.255.255 172.20.0.0 0.0.255.255
access-list 102 pemit ip 10.10.0.0 0.0.255.255 any
access-list 103 pemit ip 10.10.0.0 0.0.255.255 any
route-map test permit 10
!control the 172.20.x.x translate to 172.21.x.x
match ip address 102
route-map test permit 20
!control the normal 172.20.x.x natting to the internet
match ip address 103
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide