Solved

Help configuring Site-Site VPN Using NAT on Cisco 2811

Posted on 2009-05-20
4
488 Views
Last Modified: 2012-05-07
I need to set up a site to site VPN between my office and a customer office.
This VPN will be used for about 30 specific pcs in the customers environment, each on a separate subnet, one on a subnet that matches mine.  Because of the matching subnet, they have asked me to NAT all incoming traffic as though it were from 10.100.120.1
Can someone provide the router instructions for me to configure this?

Office equipment:  Cisco 2811 IOS c2800nm-advipservicesk9-mz.124-24.T
Office outside:  1.2.0.1
Office inside:  192.168.3.0

Customer outside:  2.3.0.1
Customer inside:  A list of 30 machines including one at 192.168.3.100

NAT source address to 10.100.120.1
VPN Requirements:
Phase1:
      Mode:  Main
Pre-Shared Key:  THISISTHEKEY
Encryption:  3DES
Authentication:  MD5
SA Life Time:  28800
DH Group:  Group 2
Phase 2:
      Protocol:  ESP
      Encryption:  3DES
      Authentication:  MD5
      SA Lifetime:  86400
      Encapsulation:  Tunnel

      

0
Comment
Question by:tward000
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
ksims1129 earned 250 total points
ID: 24435778
They would need to do some translation on their side to help since you both have a 192.168.3.0 subnet
0
 

Author Comment

by:tward000
ID: 24435901
I had assumed that if all of my outbound traffic is NAT'ed to the source address  10.100.120.1 then they would only have to route traffic for 10.100.120.1 back to me without having to translate.  Is that assumption incorrect?
0
 
LVL 5

Assisted Solution

by:ksims1129
ksims1129 earned 250 total points
ID: 24435994
Yes thats correct but in order for your traffic to nat to that address you have to tell the nat process what to translate. If your going to send traffic to the customers 192.168.3.0  your customer would have to set up a nat rule for an additional subnet that you can translate to in order for traffic to make it accross. For instance, if you have a packet originating from 192.168.3.54 on your network to 192.168.3.11 on the customer site then by the nature of TCP/IP it will arp for the mac-address of the computer on the local network to send the packet to. In order for this to work you need the other end to nat their traffic so 192.168.3.11 on their end look as though its 10.168.3.11(or whatever) so that the router can differentiate what traffic is destined to where.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP routing on Windows 2016 7 51
Problem to router 7 52
Open Port Forwarding but still can't connect RDP 9 46
Review of a VPN cert policy 4 27
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question