• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 928
  • Last Modified:

Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets

Here's the problem

Network A - 10.0.0.0/8

Network B - 10.20.0.0/16

I'm trying to establish a VPN connection between the 2 networks but only providing access from and to a /24 on both ends IE

Using this article as a reference works in principle for one network.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Network A:

10.20.7.0/24 > NAT 172.16.61.0/24

10.30.0.0/24 > NAT 172.16.62.0/24

10.50.1.0/24 > NAT 172.16.67.0/24

Network B:

Heres where I have trouble - I need to setup the cisco so that it NAT's the 10.20.20.0/24 range to different 192.168.0.0/24 rules based on the destination ie

NAT from 10.20.20.0/24 to 192.168.61.0/24 when destination is 172.16.61.0/24

NAT from 10.20.20.0/24 to 192.168.62.0/24 when destination is 172.16.62.0/24

NAT from 10.20.20.0/24 to 192.168.67.0/24 when destination is 172.16.67.0/24

Currently the VPN Phase 1 and 2 are connected and I can access individually the end network using the below command.

ip nat inside source static network 10.20.20.0 192.168.67.0 /24 no-alias

However I cannot add multiple static network translations for the same 10.20.20.0/24 network. Is this possible??
0
DClayden
Asked:
DClayden
  • 6
  • 5
1 Solution
 
Sandeep GuptaConsultantCommented:
for multiple network translation you need to use dynamic NAT
0
 
DClaydenAuthor Commented:
Can you explain how this can be done if I want to NAT the below networks?

10.20.20.0/24 - 192.168.60.0/24
10.20.20.0/24 - 192.168.61.0/24
10.20.20.0/24 - 192.168.67.0/24
0
 
XvidalxCommented:
yes u can

find "policy static NAT" in this article , and see if helps\

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042478

if i understodd this will help u
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
DClaydenAuthor Commented:
Unfortunately the device in question is a Cisco 891 router so the ASA NAT config does not apply. I'm looking for an example config using router IOS.
0
 
Sandeep GuptaConsultantCommented:
try this:
Remember this config will work on IOS 12.4 n above.

object-group network NAT_TO
range 192.168.60.0 192.168.60.255
range 192.168.61.0 192.168.61.255
range 192.168.67.0 192.168.67.255


ip nat source list OUTBOUND_NAT_1 interface <<WAN>> overload

ip access-list extended OUTBOUND_NAT_1
 permit ip 10.20.20.0 0.0.0.255 object-group NAT_TO

int LAN
ip nat enable

int WAN
ip nat enable
0
 
Sandeep GuptaConsultantCommented:
For Specific source to specific destination

ip access-list extended SPECIFIC_SRC_DEST
permit ip 192.168.61.0 0.0.0.255 172.16.61.0 0.0.0.255
permit ip 192.168.62.0 0.0.0.255 172.16.62.0 0.0.0.255
permit ip 192.168.67.0 0.0.0.255 172.16.67.0 0.0.0.255
permit ip any any

int WAN

ip access-group SPECIFIC_SRC_DEST in
ip access-group SPECIFIC_SRC_DEST out
0
 
DClaydenAuthor Commented:
Object-group commands are Cisco ASA and dont work on Cisco router IOS.
0
 
Sandeep GuptaConsultantCommented:
Who says..this is a live example running on one off my router

Cisco 2921
IOS: c2900-universalk9-mz.SPA.151-4.M1.bin

Did you try it?
0
 
DClaydenAuthor Commented:
My mistake IOS version didn't allow, just upgraded and this works.

However still no joy using the example above. I get no matches against the IPSEC access-lists when testing.
0
 
Sandeep GuptaConsultantCommented:
can you post your scribbled rnning config?
0
 
DClaydenAuthor Commented:
Got this working eventually but only NATting the traffic at the remote end.

Thanks
0
 
DClaydenAuthor Commented:
No other comments were correct.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now