Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with NAT config please !

Hi,

I'm trying to hide my internal subnet in a vpn config to a remote destination, but I'm ok with VPN config's, but not sure if my natting is correct. I have the following....

internal subnet: 192.168.7.0 255.255.255.0

the subnet I would like to hide behind: 192.168.51.0 255.255.255.0

remote subnet: 192.168.243.0 255.255.255.252

access-list outside_cryptomap_50 permit ip 192.168.7.0 255.255.255.0 192.168.243.0 255.255.255.252

access-list VPN_NAT permit ip 192.168.51.0 255.255.255.0 192.168.243.0 255.255.255.252

global (outside) 2 192.168.51.0 255.255.255.0

nat (inside) 2 access-list VPN_NAT 0 0

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

crypto map outside_map 50 ipsec-isakmp

crypto map outside_map 50 match address outside_cryptomap_50

crypto map outside_map 50 set peer 1.1.1.1

crypto map outside_map 50 set transform-set ESP-3DES-SHA

2 REPLIES
Purple

Re: Help with NAT config please !

Hi,

I believe your NAT access-list should reference your local IPs so it should look like this:

access-list VPN_NAT permit ip 192.168.7.0 255.255.255.0 192.168.243.0 255.255.255.252

Pls do remember to rate posts.

Paresh

New Member

Re: Help with NAT config please !

Just tried that, so my VPN_NAT access list is now the same as my crypto map, is this right !

this is how it looks now !

access-list outside_cryptomap_50 permit ip 192.168.7.0 255.255.255.0 192.168.243.0 255.255.255.252

access-list VPN_NAT permit ip 192.168.7.0 255.255.255.0 192.168.243.0 255.255.255.252

global (outside) 2 192.168.51.0 255.255.255.0

nat (inside) 2 access-list VPN_NAT 0 0

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

crypto map outside_map 50 ipsec-isakmp

crypto map outside_map 50 match address outside_cryptomap_50

crypto map outside_map 50 set peer 1.1.1.1

crypto map outside_map 50 set transform-set ESP-3DES-SHA

116
Views
0
Helpful
2
Replies
CreatePlease to create content