cavacamite
asked on
Cisco ipsec vpn with NAT'ed address
Hello,
I have to create a site-to-site ipsec vpn with the local address nat'ed before going over the tunnel. Would this config work? Any advice greatly appreciated. Thanks.
access-list 120 remark ACL for VPN traffic
access-list 120 remark host 192.168.a.b NAT'ed to 12.a.b.c
access-list 120 permit icmp host 12.a.b.c host 192.168.v.w
access-list 120 permit tcp host 12.a.b.c host 192.168.v.w eq ftp
crypto isakmp key presharedkey address 135.l.m.n
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mycryptomap 20 ipsec-isakmp
set peer 135.l.m.n
set transform-set myset
match address 120
reverse-route static
access-list 121 remark ACL for mymap route map
access-list 121 permit ip host 192.168.a.b host 192.168.v.w
route-map myroutemap permit 10
match ip address 121
ip nat inside source static 192.168.a.b 12.a.b.c route-map myroutemap
Int fa0/0
ip add 12.a.b.g 255.255.255.0
ip nat outside
Int f0/1
ip add 192.168.a.g 255.255.255.0
ip nat inside
crypto-map mycryptomap
addendum:
the vpn device on my side is a 2801 router with Version 12.3(14)T2
the host most only be NAT'ed for traffic to that single remote host. No NAT for VPN traffic to other networks.
I have to create a site-to-site ipsec vpn with the local address nat'ed before going over the tunnel. Would this config work? Any advice greatly appreciated. Thanks.
access-list 120 remark ACL for VPN traffic
access-list 120 remark host 192.168.a.b NAT'ed to 12.a.b.c
access-list 120 permit icmp host 12.a.b.c host 192.168.v.w
access-list 120 permit tcp host 12.a.b.c host 192.168.v.w eq ftp
crypto isakmp key presharedkey address 135.l.m.n
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map mycryptomap 20 ipsec-isakmp
set peer 135.l.m.n
set transform-set myset
match address 120
reverse-route static
access-list 121 remark ACL for mymap route map
access-list 121 permit ip host 192.168.a.b host 192.168.v.w
route-map myroutemap permit 10
match ip address 121
ip nat inside source static 192.168.a.b 12.a.b.c route-map myroutemap
Int fa0/0
ip add 12.a.b.g 255.255.255.0
ip nat outside
Int f0/1
ip add 192.168.a.g 255.255.255.0
ip nat inside
crypto-map mycryptomap
addendum:
the vpn device on my side is a 2801 router with Version 12.3(14)T2
the host most only be NAT'ed for traffic to that single remote host. No NAT for VPN traffic to other networks.
Hi
snippet from
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
IPsec NAT TransparencyThe IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Point Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec. NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS Software Release 12.2(13)T and later. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.
snippet from
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
IPsec NAT TransparencyThe IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Point Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec. NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS Software Release 12.2(13)T and later. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.
ASKER
Thanks for the link.
What I'm trying to verify is if the route map config will work so that the NAT'ed address forms the tunnel for traffic only to that remote host and not NAT traffic for other VPN connections.
What I'm trying to verify is if the route map config will work so that the NAT'ed address forms the tunnel for traffic only to that remote host and not NAT traffic for other VPN connections.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER