Solved

Help configuring Site-Site VPN Using NAT on Cisco 2811

Posted on 2009-05-20
4
484 Views
Last Modified: 2012-05-07
I need to set up a site to site VPN between my office and a customer office.
This VPN will be used for about 30 specific pcs in the customers environment, each on a separate subnet, one on a subnet that matches mine.  Because of the matching subnet, they have asked me to NAT all incoming traffic as though it were from 10.100.120.1
Can someone provide the router instructions for me to configure this?

Office equipment:  Cisco 2811 IOS c2800nm-advipservicesk9-mz.124-24.T
Office outside:  1.2.0.1
Office inside:  192.168.3.0

Customer outside:  2.3.0.1
Customer inside:  A list of 30 machines including one at 192.168.3.100

NAT source address to 10.100.120.1
VPN Requirements:
Phase1:
      Mode:  Main
Pre-Shared Key:  THISISTHEKEY
Encryption:  3DES
Authentication:  MD5
SA Life Time:  28800
DH Group:  Group 2
Phase 2:
      Protocol:  ESP
      Encryption:  3DES
      Authentication:  MD5
      SA Lifetime:  86400
      Encapsulation:  Tunnel

      

0
Comment
Question by:tward000
  • 2
4 Comments
 
LVL 5

Accepted Solution

by:
ksims1129 earned 250 total points
ID: 24435778
They would need to do some translation on their side to help since you both have a 192.168.3.0 subnet
0
 

Author Comment

by:tward000
ID: 24435901
I had assumed that if all of my outbound traffic is NAT'ed to the source address  10.100.120.1 then they would only have to route traffic for 10.100.120.1 back to me without having to translate.  Is that assumption incorrect?
0
 
LVL 5

Assisted Solution

by:ksims1129
ksims1129 earned 250 total points
ID: 24435994
Yes thats correct but in order for your traffic to nat to that address you have to tell the nat process what to translate. If your going to send traffic to the customers 192.168.3.0  your customer would have to set up a nat rule for an additional subnet that you can translate to in order for traffic to make it accross. For instance, if you have a packet originating from 192.168.3.54 on your network to 192.168.3.11 on the customer site then by the nature of TCP/IP it will arp for the mac-address of the computer on the local network to send the packet to. In order for this to work you need the other end to nat their traffic so 192.168.3.11 on their end look as though its 10.168.3.11(or whatever) so that the router can differentiate what traffic is destined to where.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now