Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
2
Replies

Configuring NAT over LAN-to-LAN Between Cisco VPN 3000 and IOS Router

Go to solution
securantakra
Level 1
Level 1

‎07-12-2007 01:21 PM

Hi,

I have the following document about building a LAN2LAN VPN including NAT.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801ae24c.shtml

There?s no problem doing this with the concentrator. Now I have to configure it on IOS Router, and therefor I can?t find any Information. I have to NAT my private network to one official IP which have to be tunneled as my local LAN.

Do anyone have a documentation about this szenario? I can?t find any on the CCO.

Thanks for support

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
timkaye
Level 1
Level 1

‎07-12-2007 10:45 PM

Hello.

The concentrators are very friendly units (IMHO) for doing VPN's and VPN's with NAT.

You build an acl to defined the traffic over the vpn (110) based on being nat'd

You then create an acl to define whats NAT'd (111) and create a NAT statement accordingly

Below is a sample configuration.

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key vpnsrock!! address x.x.x.x

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address 110

!

interface Fa0

ip nat outside

crypto map VPN

!

!

interface fa1

ip nat inside

!

ip nat inside source list 111 interface fa0 overload

ip route 0.0.0.0 0.0.0.0 y.y.y.y

access-list 110 permit ip fa0-ip wildcard-mask remote-network wildcard-mask

access-list 111 permit ip local-network wildcard-mask remote-network wildcard-mask

!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
timkaye
Level 1
Level 1

‎07-12-2007 10:45 PM

Hello.

The concentrators are very friendly units (IMHO) for doing VPN's and VPN's with NAT.

You build an acl to defined the traffic over the vpn (110) based on being nat'd

You then create an acl to define whats NAT'd (111) and create a NAT statement accordingly

Below is a sample configuration.

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key vpnsrock!! address x.x.x.x

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer x.x.x.x

set transform-set ESP-3DES-SHA

match address 110

!

interface Fa0

ip nat outside

crypto map VPN

!

!

interface fa1

ip nat inside

!

ip nat inside source list 111 interface fa0 overload

ip route 0.0.0.0 0.0.0.0 y.y.y.y

access-list 110 permit ip fa0-ip wildcard-mask remote-network wildcard-mask

access-list 111 permit ip local-network wildcard-mask remote-network wildcard-mask

!

0 Helpful

Go to solution
securantakra
Level 1
Level 1
In response to timkaye

‎07-23-2007 10:56 PM

Thanks for the suggest,

the solution is working fine

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents