I have a following problem with static nat translation over vpn tunnel
My router is Cisco 1811 (let's call it central). We have a number of site-to-site VPNs between our offices. Those are set up with crypto ipsec to other cisco (871), linux distros, watchguards. Each office uses one of 172.16.x.0/24 subnets.
In here we have two WANs (which isn't that important - just giving a description to the config. there is no load balancing - rather a failover- which is not working not relevant now ), but our main one is 184.108.40.206. There is also a nat translation in use with route-map and pat translation in place.
- there is a customer we need to create a site-to-site vpn with. We should have access to their machine, they should have no access to our resources. We need to support that machine. Their remote WAN is 220.127.116.11. Their subnet is 192.168.1.0/24. The host we're interested in is 192.168.1.10.
I created a loopback interface with ip 10.168.168.33/32. Then created a VPN between this loopback and the remote host. It is working. From my local subnet (172.16.3.0/24) I can reach it using 192.168.1.10. Till this point - everything is working like a charm.
What I want and need to do is:
- assign a "virtual" IP 172.16.3.20 for example to do a translation from 172.16.3.20 to 192.168.1.10
Why? So that any of my users from 172.16.x.0/24 subnets can ping/rdp/call 172.16.3.20 and will be nated to 192.168.1.10. I don't know what is on the other end. Right now for the test environment I'm using Mikrotik device. I cannot ask the customer to add each 172.16.x.0/24 to their ACL. It has to be transparrent for them - in fact I don't know whether 192.168.1.10 is not just another proxy on their side. What's more, there will be soon another machine on their side (192.168.1.11) that we need an access to as well.
I tried various "ip nat inside source" and none worked. Can you help?
Re: VPN, static nat from local subnets to remote host
Ok. Thanks to my friend I've got it solved.
First I had bad intentions I cannot use one of 172.16.3.0/24 addresses for nat if I'm using those in local subnet area. So I either will have to split my local subnet or use another one. Here's the config:
description Interface for NAT translations
ip address 172.16.3.128 255.255.255.128
ip nat outside
description Interface for VPN connection
ip address 10.168.168.0 255.255.255.0
ip nat inside
ip nat enable
interface Vlan3 description LAN ip address 172.16.3.0 255.255.255.128 ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1360 ip policy route-map inside-disp !
ip nat inside source list NAT_VPNHOST_ACL interface Loopback10 overload
ip nat outside source static 192.168.1.10 172.16.3.129
ip access-list extended NAT_VPNHOST_ACL permit ip 172.16.0.0 0.0.255.255 172.16.3.128 0.0.0.128 ip access-list extended VPN-HOST_acl permit ip 10.168.168.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended nat_acl
deny ip 172.16.3.0 0.0.0.128 192.168.1.0 0.0.0.255
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...