Cisco Site-to-Site VPN with NAT Issues

Alex_Calcan
Alex_Calcan used Ask the Experts™
on
I have a Site-to-Site VPN like this:
A ---- Router A ---------- WAN --------- Router B ----- B

The running conf files of both routers are attached.

The problem I have is that a server on lan A (172.18.21.10:80) is NATed on the same address that the VPN is running. This makes that address invisible from Lan B (I can not connect to http://172.18.21.10)

How can I Fix this?
Router-A.txt
Router-B.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The way that I overcome this is to use GRE tunnels over IPSec to connect the remote sites.

There are several benefits to using GRE tunnels, such as avoiding NAT rules and the ability to use dynamic routing protocols.

Here's how you do it:

Changes to router A:

interface loopback 0
ip address 172.31.255.1 255.255.255.252

ip access-list 115
permit gre host 172.31.255.1 host 172.31.255.5

interface tunnel 115
ip address 172.30.255.1 255.255.255.252
ip tcp adjust-mss 1400      (you can tweak this number)
tunnel source 172.31.255.1
tunnel dest 172.31.255.5

ip route 172.31.255.5 255.255.255.252 internet next hop address
ip route 192.168.2.0 255.255.255.0 172.30.255.2


router b:

interface loopback 0
ip address 172.31.255.5 255.255.255.252

ip access-list 115
permit gre host 172.31.255.5 host 172.31.255.1

interface tunnel 115
ip address 172.30.255.2 255.255.255.252
ip tcp adjust-mss 1400      (you can tweak this number)
tunnel source 172.31.255.5
tunnel dest 172.31.255.1

ip route 172.31.255.1 255.255.255.252 internet next hop address
ip route 172.18.21.0 255.255.255.0 172.30.255.1

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial