site to site vpn with

teymur azimov · ‎02-09-2012

hi dears.

i configurated site to site ipsec vpn at routers.

at router 1 my local subnet: 192.168.10.1/24. my local users(192.168.10.0) must be access the remote side exactly the 172.17.0.130 server.

but remote side has to see my ip address as 172.16.13.56/29,not my local ip addresses.

question is how i can do this with site-to-site ipsec vpn?

mwinnett · ‎02-13-2012

Teymur

Something like the following will do. Important thing is that you nat before encrypt. Therefore, we nat to 172.16.13.56/29 and then encrypt this traffic towards 172.17.0.130. At the server side, encrypt back to the 172.16.13.56/29 subnet.

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 172.16.2.2

!

crypto map vpn1 10 ipsec-isakmp

set peer 172.16.2.2

set transform-set only-esp

match address vpn-traffic

!

interface Ethernet0/0

ip address 192.168.10.1 255.255.255.0

ip nat inside

!

interface Ethernet1/0

ip address 172.16.1.1 255.255.255.252

ip nat outside

crypto map vpn1

!

ip nat pool mswpool 172.16.13.56 172.16.13.63 netmask 255.255.255.248

ip nat inside source list nat-ipsec pool mswpool

ip route 0.0.0.0 0.0.0.0 172.16.1.254

!

ip access-list extended nat-ipsec

permit ip 192.168.10.0 0.0.255.255 172.17.0.130 255.255.255.255

ip access-list extended vpn-traffic

permit ip 172.16.13.56 0.0.0.7 172.17.0.130 255.255.255.255

Matthew