cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2899
Views
0
Helpful
6
Replies

IOS - Help with IPsec L2L VPN with NAT

jesper_petersen
Level 1
Level 1

Hello guys

I've been trying to get VPN to work for a specific scenario where I need to do NAT for the VPN traffic to avoid subnet overlapping.

I've found several guides on cisco.com, but all of those that I've found does not allow for (or show how) NAT overload (for internet traffic), which I need for my setup.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

I basically need to know how the configuration looks like when you do static NAT through a VPN tunnel as well as provide internet connectivity using NAT in the same router?

I've attached a drawing that should better explain my needs.

Does anyone have know of a guide that show how to do this?

Best regards

Jesper

1 Accepted Solution

Accepted Solutions

You can use static policy NAT to NAT those traffic:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

route-map policy-NAT permit 10

     match ip address 101

route-map internet-NAT permit 10

     match ip address 102

ip nat inside source static network 10.0.0.0 10.30.10.0 /24 route-map policy-NAT

ip nat inside source route-map internet-NAT interface overload

Hope that helps.


View solution in original post

6 Replies 6

Theo Van Wyk
Level 1
Level 1

Hello

This is my test config for my lab I can vpn from outside into network but cannot access internet after vpn, must activate spit tunnel

Hope this helps

!

hostname Inernet

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication login xauthen group tacacs+ local

aaa authorization network groupauthor local

!

aaa session-id common

clock timezone Harare 2

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

quit

username xxx privilege 15 password 7 xxxxx

!

!

!

no crypto xauth FastEthernet0

!

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group test

key cisco123

dns 10.10.100.10

domain xxxxxx

pool vpnpool

netmask 255.255.255.0

!

!

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

!

crypto dynamic-map dynmap 5

set transform-set myset

!

!

crypto map test client authentication list xauthen

crypto map test isakmp authorization list groupauthor

crypto map test client configuration address respond

crypto map test 10 ipsec-isakmp dynamic dynmap

!

!

!

interface Loopback0

no ip address

!

interface Loopback1

ip address xxxxxx 255.255.255.248

!

interface Ethernet0

ip address xxxxxx 255.255.255.240

ip helper-address 168.210.2.2

ip nat outside

ip virtual-reassembly

full-duplex

crypto map test

!

interface FastEthernet0

ip address xxxxxx 255.255.255.252

ip nat inside

ip virtual-reassembly

speed auto

!

router eigrp 500

redistribute connected

redistribute static

passive-interface Ethernet0

network 10.30.100.0 0.0.0.3

network 10.60.100.0 0.0.0.7

no auto-summary

!

ip local pool vpnpool 10.60.100.10 10.60.100.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 196.33.38.65

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map vpn clients interface Ethernet0 overload

ip tacacs source-interface Loopback0

!

access-list 101 remark vpn clients=16

access-list 101 deny ip any host 10.60.100.10

access-list 101 deny ip any host 10.60.100.11

access-list 101 deny ip any host 10.60.100.12

access-list 101 deny ip any host 10.60.100.13

access-list 101 deny ip any host 10.60.100.14

access-list 101 deny ip any host 10.60.100.15

access-list 101 deny ip any host 10.60.100.16

access-list 101 deny ip any host 10.60.100.17

access-list 101 deny ip any host 10.60.100.18

access-list 101 deny ip any host 10.60.100.19

access-list 101 deny ip any host 10.60.100.20

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

route-map vpn clients permit 1

match ip address 101

!

tacacs-server host 10.10.100.30 key 7 141A06070D06

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

login authentication xauthen

transport input telnet

!

jesper_petersen
Level 1
Level 1

Hi Theo

Thank you for your reply. Unfortunately it's not what I'm seeking. I'm seeking information on how to NAT through a LAN-to-LAN VPN connection - not a remote access VPN, as you're using.

But thanks for taking the time to reply

Best regards,

Jesper

You can use static policy NAT to NAT those traffic:

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.30.10.0 0.0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

route-map policy-NAT permit 10

     match ip address 101

route-map internet-NAT permit 10

     match ip address 102

ip nat inside source static network 10.0.0.0 10.30.10.0 /24 route-map policy-NAT

ip nat inside source route-map internet-NAT interface overload

Hope that helps.


Hi halijenn

Ahh yes, of course. Still learning

I'm already in the process of trying it out, however i'm struggling with getting the router (ISR1812) to accept the command:

ip nat inside source static network 10.0.0.0 10.30.10.0 /24 route-map policy-NAT

It won't accept the route-map statement - could this be due to software or is it a hardware limitation?

The router is running:

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)

----

SiteA(config)#ip nat inside source static network 10.0.0.0 10.30.10.0 /24 ?
  extendable  Extend this translation when used
  mapping-id  Associate a mapping id to this mapping
  no-alias    Do not create an alias for the global address
  no-payload  No translation of embedded address/port in the payload
  redundancy  NAT redundancy operation
  vrf         Specify vrf
 

Thx

Sorry to disappoint, but seems that the route-map option is only available for one to one static NAT:

ip nat inside source static 10.0.0.1 10.30.10.1 route-map policy-NAT

An option is to configure 254 lines of NAT statements with the route-map to cover the /24 subnet.

Sorry, didn't have any better way.

Hello again Halijenn

Ah yes, I can use that for now as it is only temporary.

Lets hope Cisco implements such a feature in the future

Thanks for all your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: