Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site vpn with

hi dears.

i configurated site to site ipsec vpn at routers.

at router 1 my local subnet: 192.168.10.1/24. my local users(192.168.10.0) must be access the remote side exactly the 172.17.0.130 server.

but remote side has to see my ip address as 172.16.13.56/29,not my local ip addresses.

question is how i can do this with site-to-site ipsec vpn?

1 REPLY
Bronze

site to site vpn with

Teymur

Something like the following will do. Important thing is that you nat before encrypt. Therefore, we nat to 172.16.13.56/29 and then encrypt this traffic towards 172.17.0.130. At the server side, encrypt back to the 172.16.13.56/29 subnet.

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 172.16.2.2

!

crypto map vpn1 10 ipsec-isakmp

set peer 172.16.2.2

set transform-set only-esp

match address vpn-traffic

!

interface Ethernet0/0

ip address 192.168.10.1 255.255.255.0

ip nat inside

!

interface Ethernet1/0

ip address 172.16.1.1 255.255.255.252

ip nat outside

crypto map vpn1

!

ip nat pool mswpool 172.16.13.56 172.16.13.63 netmask 255.255.255.248

ip nat inside source list nat-ipsec pool mswpool

ip route 0.0.0.0 0.0.0.0 172.16.1.254

!

ip access-list extended nat-ipsec

permit ip 192.168.10.0 0.0.255.255 172.17.0.130 255.255.255.255

ip access-list extended vpn-traffic

permit ip 172.16.13.56 0.0.0.7 172.17.0.130 255.255.255.255

Matthew

282
Views
0
Helpful
1
Replies
CreatePlease to create content