I have a problem with a VPN Lan-to-Lan between a Cisco 850 (12.4) and a Watchguard (11.1). I need to NAT the two private addresses because, on the Watchguard side, the Cisco subnet is already used. I have no problem to create the VPN tunnel and I see it up and running on the two devices but I cannot browse the LAN.
crypto isakmp policy 20
crypto isakmp key XXXXXXXXXXX address 88.57.ghi.jkl
crypto isakmp keepalive 20 5
crypto isakmp aggressive-mode disable
crypto ipsec transform-set LAN2LANSET esp-3des esp-sha-hmac
crypto map LANTOLANMAP 20 ipsec-isakmp
set peer 88.57.ghi.jkl
set transform-set LAN2LANSET
match address 120
no ip source-route
no ip gratuitous-arps
no ip domain lookup
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
ip address 88.40.abc.def 255.255.255.248
ip nat outside
no snmp trap link-status
crypto map LANTOLANMAP
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip nat inside source route-map NONAT interface ATM0.1 overload
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
route-map NONAT permit 10
match ip address 110
With this configuration I can browse the internet but NOT the VPN tunnel (because, I suppose, there is no NAT). If I add this:
ip nat inside source static network 192.168.1.0 192.168.3.0 /24 no-alias
I can browse the tunnel but not the internet (because, I think, I redirect all the traffic through the tunnel). Is there a way to solve this situation? For the record, I cannot buy other hardware or change the two subnet addresses.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...