Solved

Help configuring Site-Site VPN Using NAT on Cisco 2811

Posted on 2009-05-20
4
496 Views
Last Modified: 2012-05-07
I need to set up a site to site VPN between my office and a customer office.
This VPN will be used for about 30 specific pcs in the customers environment, each on a separate subnet, one on a subnet that matches mine.  Because of the matching subnet, they have asked me to NAT all incoming traffic as though it were from 10.100.120.1
Can someone provide the router instructions for me to configure this?

Office equipment:  Cisco 2811 IOS c2800nm-advipservicesk9-mz.124-24.T
Office outside:  1.2.0.1
Office inside:  192.168.3.0

Customer outside:  2.3.0.1
Customer inside:  A list of 30 machines including one at 192.168.3.100

NAT source address to 10.100.120.1
VPN Requirements:
Phase1:
      Mode:  Main
Pre-Shared Key:  THISISTHEKEY
Encryption:  3DES
Authentication:  MD5
SA Life Time:  28800
DH Group:  Group 2
Phase 2:
      Protocol:  ESP
      Encryption:  3DES
      Authentication:  MD5
      SA Lifetime:  86400
      Encapsulation:  Tunnel

      

0
Comment
Question by:tward000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
ksims1129 earned 250 total points
ID: 24435778
They would need to do some translation on their side to help since you both have a 192.168.3.0 subnet
0
 

Author Comment

by:tward000
ID: 24435901
I had assumed that if all of my outbound traffic is NAT'ed to the source address  10.100.120.1 then they would only have to route traffic for 10.100.120.1 back to me without having to translate.  Is that assumption incorrect?
0
 
LVL 5

Assisted Solution

by:ksims1129
ksims1129 earned 250 total points
ID: 24435994
Yes thats correct but in order for your traffic to nat to that address you have to tell the nat process what to translate. If your going to send traffic to the customers 192.168.3.0  your customer would have to set up a nat rule for an additional subnet that you can translate to in order for traffic to make it accross. For instance, if you have a packet originating from 192.168.3.54 on your network to 192.168.3.11 on the customer site then by the nature of TCP/IP it will arp for the mac-address of the computer on the local network to send the packet to. In order for this to work you need the other end to nat their traffic so 192.168.3.11 on their end look as though its 10.168.3.11(or whatever) so that the router can differentiate what traffic is destined to where.
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month7 days, 18 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question