Solved

Help configuring Site-Site VPN Using NAT on Cisco 2811

Posted on 2009-05-20
4
493 Views
Last Modified: 2012-05-07
I need to set up a site to site VPN between my office and a customer office.
This VPN will be used for about 30 specific pcs in the customers environment, each on a separate subnet, one on a subnet that matches mine.  Because of the matching subnet, they have asked me to NAT all incoming traffic as though it were from 10.100.120.1
Can someone provide the router instructions for me to configure this?

Office equipment:  Cisco 2811 IOS c2800nm-advipservicesk9-mz.124-24.T
Office outside:  1.2.0.1
Office inside:  192.168.3.0

Customer outside:  2.3.0.1
Customer inside:  A list of 30 machines including one at 192.168.3.100

NAT source address to 10.100.120.1
VPN Requirements:
Phase1:
      Mode:  Main
Pre-Shared Key:  THISISTHEKEY
Encryption:  3DES
Authentication:  MD5
SA Life Time:  28800
DH Group:  Group 2
Phase 2:
      Protocol:  ESP
      Encryption:  3DES
      Authentication:  MD5
      SA Lifetime:  86400
      Encapsulation:  Tunnel

      

0
Comment
Question by:tward000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
ksims1129 earned 250 total points
ID: 24435778
They would need to do some translation on their side to help since you both have a 192.168.3.0 subnet
0
 

Author Comment

by:tward000
ID: 24435901
I had assumed that if all of my outbound traffic is NAT'ed to the source address  10.100.120.1 then they would only have to route traffic for 10.100.120.1 back to me without having to translate.  Is that assumption incorrect?
0
 
LVL 5

Assisted Solution

by:ksims1129
ksims1129 earned 250 total points
ID: 24435994
Yes thats correct but in order for your traffic to nat to that address you have to tell the nat process what to translate. If your going to send traffic to the customers 192.168.3.0  your customer would have to set up a nat rule for an additional subnet that you can translate to in order for traffic to make it accross. For instance, if you have a packet originating from 192.168.3.54 on your network to 192.168.3.11 on the customer site then by the nature of TCP/IP it will arp for the mac-address of the computer on the local network to send the packet to. In order for this to work you need the other end to nat their traffic so 192.168.3.11 on their end look as though its 10.168.3.11(or whatever) so that the router can differentiate what traffic is destined to where.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question