Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

VPN, static nat from local subnets to remote host

Hello,

I have a following problem with static nat translation over vpn tunnel

My router is Cisco 1811 (let's call it central). We have a number of site-to-site VPNs between our offices. Those are set up with crypto ipsec to other cisco (871), linux distros, watchguards. Each office uses one of 172.16.x.0/24 subnets.

In here we have two WANs (which isn't that important - just giving a description to the config. there is no load balancing - rather a failover- which is not working not relevant now ), but our main one is 1.1.1.1. There is also a nat translation in use with route-map and pat translation in place.

The trick:

- there is a customer we need to create a site-to-site vpn with. We should have access to their machine, they should have no access to our resources. We need to support that machine. Their remote WAN is 2.2.2.2. Their subnet is 192.168.1.0/24. The host we're interested in is 192.168.1.10.

I created a loopback interface with ip 10.168.168.33/32. Then created a VPN between this loopback and the remote host. It is working. From my local subnet (172.16.3.0/24) I can reach it using 192.168.1.10. Till this point - everything is working like a charm.


What I want and need to do is:

- assign a "virtual" IP 172.16.3.20 for example to do a translation from 172.16.3.20 to 192.168.1.10

Why? So that any of my users from 172.16.x.0/24 subnets can ping/rdp/call 172.16.3.20 and will be nated to 192.168.1.10. I don't know what is on the other end. Right now for the test environment I'm using Mikrotik device. I cannot ask the customer to add each 172.16.x.0/24 to their ACL. It has to be transparrent for them - in fact I don't know whether 192.168.1.10 is not just another proxy on their side. What's more, there will be soon another machine on their side (192.168.1.11) that we need an access to as well.

I tried various "ip nat inside source" and none worked. Can you help?

Everyone's tags (3)
2 REPLIES

Re: VPN, static nat from local subnets to remote host

I changed the config so that now I have access to two hosts on the other side. Changes I've made are:

interface Loopback1
ip address 10.168.168.33 255.255.255.252

ip access-list extended nat_acl

deny   ip 172.16.3.0 0.0.0.255 192.168.10.0 0.0.0.255

ip access-list extended VPN-HOST_acl
permit ip 10.168.168.32 0.0.0.3 192.168.1.10 0.0.0.3

So multiple hosts are not an issue. But I still cannot do the translation. Any ideas?

Re: VPN, static nat from local subnets to remote host

Ok. Thanks to my friend I've got it solved.

First I had bad intentions I cannot use one of 172.16.3.0/24 addresses for nat if I'm using those in local subnet area. So I either will have to split my local subnet or use another one. Here's the config:

interface Loopback1

description Interface for NAT translations

ip address 172.16.3.128 255.255.255.128

ip nat outside

ip virtual-reassembly

!

interface Loopback10

description Interface for VPN connection

ip address 10.168.168.0 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

!

interface Vlan3
description LAN
ip address 172.16.3.0 255.255.255.128
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1360
ip policy route-map inside-disp
!

ip nat inside source list NAT_VPNHOST_ACL interface Loopback10 overload

ip nat outside source static 192.168.1.10 172.16.3.129

ip access-list extended NAT_VPNHOST_ACL
permit ip 172.16.0.0 0.0.255.255 172.16.3.128 0.0.0.128
ip access-list extended VPN-HOST_acl
permit ip 10.168.168.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended nat_acl

deny   ip 172.16.3.0 0.0.0.128 192.168.1.0 0.0.0.255

Hope this helps someone someday:)

1953
Views
0
Helpful
2
Replies
CreatePlease to create content