Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Multi Client VPNs with Overlapping Networks

I have a need to have several L2L vpns to different clients.  I have built the vpns under a single crypto map, but an issue has come up.

One of my clients requires me to NAT my inside address to my public address as he shares the same LAN subnet as I do.

Another of my clients shares the same subnet and wants me to NAT my internal IP to a specific subnet address within the same network.

How do I accomplish this?  I basically need to NAT my inside 10.10.x.x network for client B to 10.129.x.x.

I assume I will be using NAT ( ip nat inside source static network 10.10.x.x 10.129.x.x /24), but is there anyway to specify this nat statement for only this customer?  I assume any new customers will require similar juggling.

TIA

Everyone's tags (1)
41 REPLIES

Re: Multi Client VPNs with Overlapping Networks

Todd,

You can assign a route-map to the STATIC NAT to specify the rule to take place only when going to an specific customer

ip nat inside source static network 10.10.x.x 10.129.x.x /24 route-map Customer_1

route-map Customer_1

  match ip address 199

  set ip next-hop x.x.x.x

The above STATIC NAT will only happens when ACL 199 matches the traffic (so you can specify the network to the remote VPN).

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

Thank you Federico,

I can do this for each unique situation?  So I could conceivably have many NAT statements as indicated above, each pointing to a different Route-map?

Thanks again.

Re: Multi Client VPNs with Overlapping Networks

Yes, and not necessarily a different route map, but a different ACL to properly identify the

traffic.

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

I hate to ask, but could I bother you for a short config example?  I am afraid I am a little out of my

league with this.


Thank you

Re: Multi Client VPNs with Overlapping Networks

No problem, for example:
Let's say that you have two tunnels with two sites:

Your side:
192.168.1.0/24
Remote side1:
192.168.2.0/24
Remote side2:
192.168.3.0/24

You want to NAT your traffic to 10.1.1.0/24 when going to side1 and to 10.2.2.0/24 when going to side2.

ip access-list extended 198
  permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended 199
  permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

route-map Customer_1
  match ip address 198
  set ip next-hop x.x.x.x
route-map Customer_2
  match ip address 199
  set ip next-hop x.x.x.x

ip nat inside source static 192.168.1.0/24 10.1.1.0/24 route-map Customer_1
ip nat inside source static 192.168.1.0/24 10.2.2.0/24 route-map Customer_2

Then, the interesting traffic will be from 10.1.x.0/24 to the remote sites.

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

OK,

I have tried to get this configured and I cannot get the tunnel to come up.  I am including a scrubbed config if you wouldnt mind taking a look.

Current configuration : 2993 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
enable secret xxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen local
!
!
aaa session-id common
no network-clock-participate wic 0
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
archive
log config
  hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 XXXXXXXXX address 206.xx.xx.xx
crypto isakmp key XXXXXXXXXX address 12.xx.xx.xx
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN1-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.xx.xx.xx
set transform-set VPN1-VPN
match address 100
crypto map VPN 2 ipsec-isakmp
set peer 12.xxx.xx.xx
set transform-set VPN2-VPN
match address 101
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24

interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.xxx.xxx.xxx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface Serial0/0/0:0
description QWEST INTERNET CIRCUIT ID# DS1IT 14436097
no ip address
ip virtual-reassembly
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx
!
!
ip http server
no ip http secure-server
ip nat inside source route-map VPN1 interface FastEthernet0/1 overload
ip nat inside source static 10.10.xxx.xxx 10.129.40.0 route-map VPN2MAP
!
no logging trap
access-list 100 permit ip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any administratively-prohibited
access-list 101 permit ip any any
!
!
!
!
route-map VPN1 permit 10
match ip address 100
!
route-map VPN2 permit 10
match ip address 101
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0045120209520547
transport input telnet
!
scheduler allocate 20000 1000
end

Any help is greatly appreciated.

Re: Multi Client VPNs with Overlapping Networks

Some questions:


1. Which tunnel is not coming up? I see two (206.xx.xx.xx and 12.xxx.xx.xx)
2. For the first peer, you're sending all IP traffic (ACL 100), in this way no traffic will ever be sent
through the second tunnel.
3. The route-map VPN2MAP does not show in the config.

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

The first peer (VPN 1) is up and works.  The second peer (VPN 2) going to the

12 network will not come up.  This is the peer that requires that my 10.10.x.x network be NAT'd to 10.149.20

.x prior to sending.

Re: Multi Client VPNs with Overlapping Networks

Todd,

One of the problems is that the ACL for interesting traffic for the first tunnel is sending ''ip any any''

It means that all IP traffic is being sent through the tunnel that is already established.

There's no traffic that's going to be sent through the second tunnel.

What you need to do is:

1. Define only the interesting traffic that should be sent through the first tunnel (only between the appropiate networks)

2. Define the traffic for the second tunnel as well.

Federic0.

New Member

Re: Multi Client VPNs with Overlapping Networks

Thank you for the additional help and please excuse my ignorance.

What should that acl look like?  permit ip MY INSIDE ADDRESS SUBNET to CUSTOMER INSIDE ADDRESS SUBNET or CUSTOMER PEER IP?

Re: Multi Client VPNs with Overlapping Networks

The crypto ACL should be a different ACL that the NAT ACL.

The crypto ACL (to define the VPN traffic) should be from your internal LAN to the remote LAN. On the remote end it should be a mirror.

The NAC ACL should define which traffic to NAT or to bypass NAT.

So, if your network is 1.1.1.0/24 and the remote network is 2.2.2.0/24

The crypto ACL should be:

access-list 170 permti ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

And the NAT ACL should be:

access-list 160 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

(In case you want the traffic through the tunnel to bypass NAT)

If you want to NAT the traffic, then the NAT ACL should be defined as permit (and the interesting traffic will not be sourced from the real internal LAN, but from the NATed IPs)

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

Does this look a little better?


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 GHdsI2^hE@lthD address 206.17.98.20
crypto isakmp key Meds01GhD! address 12.195.64.10
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set HEDI-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set MEDSOLUTIONS-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.17.98.20
set transform-set HEDI-VPN
match address HEDI-CRYPTO-ACL
crypto map VPN 2 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS-VPN
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.10.28 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.210.58.197 255.255.255.240
ip nat outside
ip virtual-reassembly
shutdown
duplex full
speed 100
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
ip route 12.195.64.10 255.255.255.255 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat inside source route-map HEDI interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.0 10.129.40.0 route-map MEDSOLUTIONS
!
ip access-list extended HEDI-CRYPTO-ACL
permit ip 173.210.58.0 0.0.0.255 206.17.98.0 0.0.0.255
ip access-list extended HEDI-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 10.100.0.0 0.0.255.255
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.10.10.0 0.0.0.255 12.195.64.0 0.0.0.255
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.129.40.0 0.0.0.255 10.10.131.0 0.0.0.255
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map HEDI permit 10
match ip address HEDI-CRYPTO-ACL
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
control-plane
end

Re: Multi Client VPNs with Overlapping Networks

Exactly, it looks a lot better.

Are you able to establish both tunnels?

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

I have not yet established the tunnels because the first peer is operational in production right now and being used, so I

wanted to make sure that i had the config completely correct before loading it.

Does everything else look ok to you?

Basically, Peer 1 (VPN 1) needs my internal address nat'd to my public address prior to being encrypted, and currently it is working the way it is setup.  Of course, the permit ip any any guarantees that, but also exludes getting the second tunnel properly setup.

Peer 2 (VPN 2) needs to have my internal address nat'd to 10.139.40.0 prior to being encrypted and sent to his network.  The only host in his network that i need to talk to is 10.10.131.63.


Thanks again for all your help.


Todd

New Member

Re: Multi Client VPNs with Overlapping Networks

OK, i took a chance and no joy on either tunnel.

I could not ping either host and the tunnels would not come up.

New Member

Re: Multi Client VPNs with Overlapping Networks

OK.  Below is the current config.  After loading this, I could not ping either VPN from router or dekstop. Both return Destination net unreachable.  Thoughts?


!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 GHdsI2^hE@lthD address 206.17.98.20
crypto isakmp key Meds01GhD! address 12.195.64.10
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set HEDI-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set MEDSOLUTIONS-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.17.98.20
set transform-set HEDI-VPN
match address HEDI-CRYPTO-ACL
crypto map VPN 2 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS-VPN
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.10.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.210.58.197 255.255.255.240
ip nat outside
ip virtual-reassembly
shutdown
duplex full
speed 100
crypto map VPN
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map HEDI interface FastEthernet0/1 overload
ip nat inside source route-map MEDSOLUTIONS-NAT-ACL pool MEDSOLUTIONS
!
ip access-list extended HEDI-CRYPTO-ACL
permit ip any 206.17.98.0 0.0.0.255
ip access-list extended HEDI-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 10.100.0.0 0.0.255.255
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 12.195.64.0 0.0.0.255
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map HEDI permit 10
match ip address HEDI-NAT-ACL
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL
!

Re: Multi Client VPNs with Overlapping Networks

Basically, Peer 1 (VPN 1) needs my internal address nat'd to my public address prior to being encrypted,
and currently it is working the way it is setup.  Of course, the permit ip any any guarantees that,
but also exludes getting the second tunnel properly setup.

So, for VPN1:

ip access-list extended NAT_VPN_1
  permit ip 10.10.10.0 0.0.0.255 REMOTE_LAN

route-map VPN_1
  match ip address NAT_VPN_1
  set ip next-hop x.x.x.x

ip nat inside source route-map VPN_1 interface FastEthernet0/1 overload

access-list crypto1 permit ip host OUTSIDE_IP REMOTE_LAN

The above configuration, will NAT the traffic from 10.10.10.0/24 to the outside public IP of the router ONLY when going to the REMOTE_LAN

Peer 2 (VPN 2) needs to have my internal address nat'd to 10.139.40.0 prior to being encrypted
and sent to his network.  The only host in his network that i need to talk to is 10.10.131.63.

ip access-list extended NAT_VPN_2
  permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

route-map VPN_2
  match ip address NAT_VPN_2
  set ip next-hop x.x.x.x

ip nat pool newpool 10.139.40.1 10.139.40.254 netmask 255.255.255.0
ip nat inside source route-map VPN_2 pool newpool

access-list crypto2 permit ip host 10.139.40.0 0.0.0.255 REMOTE_LAN

The above configuration will NAT the 10.10.10.0/24 to 10.139.40.0/24 when going to 10.10.131.63

Please check the configuration to see if it meets what you need.

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

Hi again,

I am having no luck with this...should be easy.  Here is the config, but the tunnel never comes up.  A fresh pair of eyes is greatly appreciated. 


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811C
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/3
no logging buffered
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
!
!
voice-card 0
no dspfarm
!
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Meds01GhD! address 12.195.64.10

crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS
match address MEDSOLUTIONS-CRYPTO-ACL
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 173.210.58.198 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map MEDSOLUTIONS pool MEDSOLUTIONS
!
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
snmp-server community ghdsi_public RO
!
route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL
!

Re: Multi Client VPNs with Overlapping Networks

Based on your last post...


We're trying the tunnel to 12.195.64.10

The first thing that should happen is that when the internal LAN 10.10.10.0/24 send
traffic to the remote LAN, it should be NATed to 10.129.40.0/24

ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

route-map MEDSOLUTIONS permit 10
match ip address MEDSOLUTIONS-NAT-ACL

ip nat pool MEDSOLUTIONS 10.129.40.0 10.129.40.254 netmask 255.255.255.0
ip nat inside source route-map MEDSOLUTIONS pool MEDSOLUTIONS

Change the pool because it cannot start with IP 10.129.40.0 (that's the network address,
should start with 10.129.40.1)

Then, the crypto ACL:
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10

The crypto ACL should define the interesting traffic.
The destination should not be the other peer's public IP.
The destination should be the other end's internal LAN (network on the inside side of the
router)

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

Thank you and great catch......made the changes and still no joy.

Re: Multi Client VPNs with Overlapping Networks

Time to follow the path of the packet to see where is the failure...

Send packets from the machine on 10.10.10.x to the remote LAN.
The packets should get NATed - check this ''sh ip nat trans'' and look for the source IP 10.10.10.x
If you see the translation getting build, then you should see the packet getting encrypted ''sh cry ips sa''

From this, let's determine if the problem is with NAT or with encryption.

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

It looks like translations are correct, but the tunnel still does not come up.  I even replaced all the ACL to a permit any any (as this is now the only VPN on the this router)

RH2811C#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 10.129.40.2:500    173.210.58.198:500 12.195.64.10:500   12.195.64.10:500
RH2811C#

New Member

Re: Multi Client VPNs with Overlapping Networks

Here is my current config:


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811C
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/1
! card type command needed for slot/vwic-slot 0/3
no logging buffered
no logging console
enable secret 5 $1$dd6D$n9e1IAQ54XJLMOYtMBwO31
enable password 7 015207005602084E
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username tmanger privilege 15 secret 5 $1$9DgB$JABFxEuNr0GzK71L.DNJ9.
archive
log config
  hidekeys
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Meds01GhD! address 12.195.64.10 no-xauth
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set MEDSOLUTIONS esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 12.195.64.10
set transform-set MEDSOLUTIONS
match address 101
!
!
!
!
interface Loopback0
ip address 10.129.40.2 255.255.255.0
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 173.210.58.198 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
ip route 0.0.0.0 0.0.0.0 173.210.58.193
ip route 10.10.131.0 255.255.255.0 173.210.58.193
!
!
ip http server
no ip http secure-server
ip nat inside source route-map MEDSOLUTIONS interface Loopback0 overload
!
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
!
no logging trap
access-list 101 permit ip any any
snmp-server community ghdsi_public RO
!
route-map MEDSOLUTIONS permit 10
match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0045120209520547
transport input telnet
!
scheduler allocate 20000 1000
!
end

Re: Multi Client VPNs with Overlapping Networks

We still have the crypto ACL incorrect.

ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10

Instead of 12.195.64.10 (which is the public IP of the VPN peer), you need to define the REMOTE_LAN

What I mean with REMOTE_LAN is the internal subnet that you want to be able to access through the tunnel.

And please post the translation ''sh ip nat trans'' when sending a packet from 10.10.10.x to an IP belonging to the REMOTE_LAN

The translation that you attached is an ISAKMP connection.

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

if you look at the config, although I left the definitions for MED* there, I basically changed it all to access list 101.

For the nat translations, i ping'd the inside far network (10.10.131.63) from 10.10.10.40 and then on the router did a sh ip nat trans, and that was the output

New Member

Re: Multi Client VPNs with Overlapping Networks

Here is the output after pinging from 10.10.10.x to 10.10.131.63.....see the first line

RH2811C#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.129.40.2:1     10.10.10.68:1      10.10.131.63:1     10.10.131.63:1
udp 10.129.40.2:500    173.210.58.197:500 12.195.64.10:500   12.195.64.10:500
RH2811C#

Re: Multi Client VPNs with Overlapping Networks

Ok,
The 10.10.10.68 is being NATed to 10.129.40.2 when going to 10.10.131.63
This what you want correct?

Don't use a permit ip any any as an ACL to NAT (just define the local subnet instead of any)


The crypto ACL I still see it wrong, this is the line I'm referring to:
ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 12.195.64.10
You see what I'm saying?

Also,why 173.210.58.197 is being NATed to 10.249.40.2 when going to 12.195.64.10?
Who is 173.210.58.197? This is ISAKMP traffic being NATed to the remote peer.
The tunnel should be established between 173.210.58.198 and 12.195.64.10

Please post your current NAT and crypto ACLs.

Federico.

New Member

Re: Multi Client VPNs with Overlapping Networks

I altered what you indicated and went away from any any:

Here are the current crypto and nat acls:

ip access-list extended MEDSOLUTIONS-CRYPTO-ACL
permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended MEDSOLUTIONS-NAT-ACL
permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

Your first statement is correct:  That is what I want.

I changed the crypto acl to the corrected info.  Does my NAT acl (above) look correct?

173.210.58.198 is my outside public interface.

Re: Multi Client VPNs with Overlapping Networks

Looks a lot better now ;-)

Now, we know the translation is taking place correctly.

After that, the encryption should kick in...

Please post now the ''sh cry ips sa''

Federico.

2515
Views
0
Helpful
41
Replies
CreatePlease to create content