Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with nat session between remote users and site behind a ipsec tunnel.

Hi all,

I would like to know what is necessary in my cisco ios easy vpn  configuration in order to allow remote users access to more than one  server on site B. I set up the Easy VPN configuration with the DVTI,but i have the issue that :  Remote users can initiate just one IP session with hosts of site B (just  one nat translation is available).

Trafic from site A to site B  has to be natted on an IP address in order to be allowed by site B  router.I set up the router in site A as describe below:

ip nat pool REMOTO_SERVI 172.18.235.33 172.18.235.33 netmask 255.255.255.0

ip nat inside source route-map REMOTO_SERVI pool REMOTO_SERVI overload

access-list 105 permit ip 192.168.98.0 0.0.0.255 172.18.240.0 0.0.15.255

access-list 105 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

route-map REMOTO_SERVI permit 10

match ip address 105

Is this possible ?

This is the topology scheme:

EASY_VPN.jpg

Can anyone help me ?

Thanks in advance,

2 REPLIES
Bronze

Re: Problem with nat session between remote users and site behin

I see an issue with the statement below

access-list 105 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

I understand that you want all your user traffic from site A 192.168.98.0/24 should go PAT (or NAT overload) to 172.18.235.33 over the ipsec tunnel to access servers on Site B (172.18.240.0 0.0.15.255). If this is correct, then do following config.

config t

no access-list 105 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

Create a new access rule, lets say 106 (considering there is no access rule106, if yes, you can use any other name of acl rule below)

access-list 106 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

Now, call access-list 106 under crypto configuration to match the vpn traffic. The router on site B should have a reverse of acl 106 for VPN.

HTH

Please do rate all helpful posts

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
New Member

Re: Problem with nat session between remote users and site behin

Hi Mopaul,

thanks for your quick reply ....

The problem that i am facing is located in the translation from the remote users of site A to site B.

I already stablished an ipsec tunnel between site A and site B and it is working fine (lan of site A: 192.168.3.0/24 - LAN of site B: 172.18.240.0/20). Traffic from site A to site B is natted overload in ip address 172.18.235.33 in order to be accepted from site B.

Site A router is also an easy vpn server for remote users. These remote users (192.168.98.0/24) have to do the same process of site A lan users in order to connect to site B servers (remote users have to be natted overload in ip address 172.18.235.33 to access site B), here is where i have the problem. Sometimes i can stablished two different session from remote users to two servers of site B , but the majority of the time (99% of the time) I can only stablished one session, the other one throws an error.

if i look at the sh ip nat statistics :

pool REMOTO: netmask 255.255.255.0

        start 172.18.235.33 end 172.18.235.33

        type generic, total addresses 1, allocated 1 (100%), misses 132

I don´t really know what is going on with the configuration.

Is it more clear now ?

Thanks

325
Views
0
Helpful
2
Replies