Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets

Posted on 2013-01-17
12
Medium Priority
?
920 Views
Last Modified: 2013-03-28
Here's the problem

Network A - 10.0.0.0/8

Network B - 10.20.0.0/16

I'm trying to establish a VPN connection between the 2 networks but only providing access from and to a /24 on both ends IE

Using this article as a reference works in principle for one network.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Network A:

10.20.7.0/24 > NAT 172.16.61.0/24

10.30.0.0/24 > NAT 172.16.62.0/24

10.50.1.0/24 > NAT 172.16.67.0/24

Network B:

Heres where I have trouble - I need to setup the cisco so that it NAT's the 10.20.20.0/24 range to different 192.168.0.0/24 rules based on the destination ie

NAT from 10.20.20.0/24 to 192.168.61.0/24 when destination is 172.16.61.0/24

NAT from 10.20.20.0/24 to 192.168.62.0/24 when destination is 172.16.62.0/24

NAT from 10.20.20.0/24 to 192.168.67.0/24 when destination is 172.16.67.0/24

Currently the VPN Phase 1 and 2 are connected and I can access individually the end network using the below command.

ip nat inside source static network 10.20.20.0 192.168.67.0 /24 no-alias

However I cannot add multiple static network translations for the same 10.20.20.0/24 network. Is this possible??
0
Comment
Question by:DClayden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38787197
for multiple network translation you need to use dynamic NAT
0
 
LVL 1

Author Comment

by:DClayden
ID: 38787220
Can you explain how this can be done if I want to NAT the below networks?

10.20.20.0/24 - 192.168.60.0/24
10.20.20.0/24 - 192.168.61.0/24
10.20.20.0/24 - 192.168.67.0/24
0
 
LVL 1

Expert Comment

by:Xvidalx
ID: 38788531
yes u can

find "policy static NAT" in this article , and see if helps\

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042478

if i understodd this will help u
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:DClayden
ID: 38792132
Unfortunately the device in question is a Cisco 891 router so the ASA NAT config does not apply. I'm looking for an example config using router IOS.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38792611
try this:
Remember this config will work on IOS 12.4 n above.

object-group network NAT_TO
range 192.168.60.0 192.168.60.255
range 192.168.61.0 192.168.61.255
range 192.168.67.0 192.168.67.255


ip nat source list OUTBOUND_NAT_1 interface <<WAN>> overload

ip access-list extended OUTBOUND_NAT_1
 permit ip 10.20.20.0 0.0.0.255 object-group NAT_TO

int LAN
ip nat enable

int WAN
ip nat enable
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38792647
For Specific source to specific destination

ip access-list extended SPECIFIC_SRC_DEST
permit ip 192.168.61.0 0.0.0.255 172.16.61.0 0.0.0.255
permit ip 192.168.62.0 0.0.0.255 172.16.62.0 0.0.0.255
permit ip 192.168.67.0 0.0.0.255 172.16.67.0 0.0.0.255
permit ip any any

int WAN

ip access-group SPECIFIC_SRC_DEST in
ip access-group SPECIFIC_SRC_DEST out
0
 
LVL 1

Author Comment

by:DClayden
ID: 38793041
Object-group commands are Cisco ASA and dont work on Cisco router IOS.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38793057
Who says..this is a live example running on one off my router

Cisco 2921
IOS: c2900-universalk9-mz.SPA.151-4.M1.bin

Did you try it?
0
 
LVL 1

Author Comment

by:DClayden
ID: 38793410
My mistake IOS version didn't allow, just upgraded and this works.

However still no joy using the example above. I get no matches against the IPSEC access-lists when testing.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38798803
can you post your scribbled rnning config?
0
 
LVL 1

Accepted Solution

by:
DClayden earned 0 total points
ID: 39014333
Got this working eventually but only NATting the traffic at the remote end.

Thanks
0
 
LVL 1

Author Closing Comment

by:DClayden
ID: 39028099
No other comments were correct.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question