Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
3
Replies

Help with NAT over DSL VPN

Go to solution
Andy White
Level 3
Level 3

‎02-18-2014 07:17 AM - edited ‎03-04-2019 10:22 PM

Hello,

I have configured a Cisco VPN from a Cisco 877 DSL router to a Cisco ASA.  All is working, but I have one final request to complete.

From the DSL side they have these portable devices the use 3G and home wifi to connect to a public IP (80.170.156.78) to upload and download work.  I have installed wifi in this remote location where the DSL router is for these devices to use but they are trying to get to this public IP address through the VPN. These portable devices are hard coded to get to this public IP which is located on the other side of the VPN where the ASA is.  It is basically a web server in the DMZ off the ASA.

I have managed to get the remote office to ping the inside IP of this public IP over the VPN, so I thought I could simple add a NAT to the DSL router to translate this public IP (80.170.156.78) to it's private ip (192.168.15.8) but it doesn't work.  I though I could use split tunneling, but don't know how to do that.

The DSL router can ping the inside IP over the VPN - 192.168.15.8 the outside is 80.170.156.78

So I added:

config)#ip nat inside source static 80.170.156.78 192.168.15.8

Which didn't work so I added

interface Vlan1

ip address 192.168.200.1 255.255.255.0

ip nat inside

and

interface Dialer1

ip address negotiated

ip access-group inbound in

ip nat outside

But still no luck, what am I doing wrong?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-18-2014 03:22 PM

Andy

Can you try changing the NAT to -

ip nat outside source static 192.168.15.8 80.170.156.78

this means when you go to 80.170.156.78 it should then translated to 192.168.15.8.  I assume this is what you want.

You may need to add a route for the 192.168.15.8 host pointing out of the IPSEC interface. You may also need to try both IPs in the acl that defines interesting traffic.

It would be a lot easier to do this on the ASA ie. a simple static NAT statement and then you make sure the acl that defines traffic for the VPN is referencing the public IP.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-18-2014 03:22 PM

Andy

Can you try changing the NAT to -

ip nat outside source static 192.168.15.8 80.170.156.78

this means when you go to 80.170.156.78 it should then translated to 192.168.15.8.  I assume this is what you want.

You may need to add a route for the 192.168.15.8 host pointing out of the IPSEC interface. You may also need to try both IPs in the acl that defines interesting traffic.

It would be a lot easier to do this on the ASA ie. a simple static NAT statement and then you make sure the acl that defines traffic for the VPN is referencing the public IP.

Jon

0 Helpful

Go to solution
Andy White
Level 3
Level 3
In response to Jon Marshall

‎02-19-2014 05:40 AM

Thanks that worked.

So I put it on the wrong interface?  I guess the traffic is VPN traffic which is using the outside interface (dialer1)?

Do I still need the 'ip nat inside' command on the vlan 1, seems to work without?

Thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Andy White

‎02-19-2014 06:42 AM

Andy

So I put it on the wrong interface?

No it was just that you needed an "ip nat source static outside ..." statement rather than an "ip nat inside source static ..." statement.

I would have thought you would need the "ip nat inside".

Shouldn't harm to leave it in.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card