Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Help with VPN using NAT.

Hi,

I'm in need of some urgent help please.

I have configured my VPN following this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Basically I'm NATting a whole subnet before sending it over the tunnel.

The only thing that differs is that I've used a route-map with my static translation:

ip nat inside source static network 172.24.0.0 172.25.0.0 /16 route-map CAP

route-map CAP permit 10

match ip address 115

access-list 115 permit ip 172.24.0.0 0.0.255.255 10.2.0.0 0.0.255.255

access-list 115 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255

I can see that it is being translated:

router#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

--- 172.25.1.43 172.24.1.43 --- ---

Subnet translation:

Inside global Inside local Outside local Outside global /prefix

172.25.0.0 172.24.0.0 --- --- /16

But it does not bring the tunnel up. In debug it appears to not even be attempting to initiate. I can see that the access list applied to the crypto map is not being hit.

HOWEVER when I add the untranslated subnet to the access-list, i.e.,:

access-list 173 permit ip 172.25.0.0 0.0.255.255 10.3.0.0 0.0.255.255

access-list 173 permit ip 172.24.0.0 0.0.255.255 10.3.0.0 0.0.255.255

I can see the hit count incrementing for 172.24.0.0/16!!! I'm not sure how this is possible when it has been translated. This also brings the tunnel up (but not fully, as it's not configured on the other end, I'm just using it for testing).

Any ideas? Do I need a next hop address configured on my route map?

Any comments would be very much appreciated.

Thanks,

J

1 REPLY
Bronze

Re: Help with VPN using NAT.

For instructions on how to configure a Network Address Translation Traversal (NAT-T) between Cisco VPN Clients located behind a Port Address Translation (PAT)/NAT device and a remote Cisco VPN Concentrator, refer to Configuring Multiple VPN Clients to a Cisco VPN 3000 Concentrator Using NAT-Traversal.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008010edf4.shtml

277
Views
0
Helpful
1
Replies
CreatePlease to create content