Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets

Here's the problem

Network A - 10.0.0.0/8

Network B - 10.20.0.0/16

I'm trying to establish a VPN connection between the 2 networks but only providing access from and to a /24 on both ends IE

Using this article as a reference works in principle for one network.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Network A:

10.20.7.0/24 > NAT 172.16.61.0/24

10.30.0.0/24 > NAT 172.16.62.0/24

10.50.1.0/24 > NAT 172.16.67.0/24

Network B:

Heres where I have trouble - I need to setup the cisco so that it NAT's the 10.20.20.0/24 range to different 192.168.0.0/24 rules based on the destination ie

NAT from 10.20.20.0/24 to 192.168.61.0/24 when destination is 172.16.61.0/24

NAT from 10.20.20.0/24 to 192.168.62.0/24 when destination is 172.16.62.0/24

NAT from 10.20.20.0/24 to 192.168.67.0/24 when destination is 172.16.67.0/24

Currently the VPN Phase 1 and 2 are connected and I can access individually the end network using the below command.

ip nat inside source static network 10.20.20.0 192.168.67.0 /24 no-alias

However I cannot add multiple static network translations for the same 10.20.20.0/24 network. Is this possible??
LVL 1
DClaydenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Sandeep GuptaConsultantCommented:
for multiple network translation you need to use dynamic NAT
0
 
DClaydenAuthor Commented:
Can you explain how this can be done if I want to NAT the below networks?

10.20.20.0/24 - 192.168.60.0/24
10.20.20.0/24 - 192.168.61.0/24
10.20.20.0/24 - 192.168.67.0/24
0
 
XvidalxCommented:
yes u can

find "policy static NAT" in this article , and see if helps\

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042478

if i understodd this will help u
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
DClaydenAuthor Commented:
Unfortunately the device in question is a Cisco 891 router so the ASA NAT config does not apply. I'm looking for an example config using router IOS.
0
 
Sandeep GuptaConsultantCommented:
try this:
Remember this config will work on IOS 12.4 n above.

object-group network NAT_TO
range 192.168.60.0 192.168.60.255
range 192.168.61.0 192.168.61.255
range 192.168.67.0 192.168.67.255


ip nat source list OUTBOUND_NAT_1 interface <<WAN>> overload

ip access-list extended OUTBOUND_NAT_1
 permit ip 10.20.20.0 0.0.0.255 object-group NAT_TO

int LAN
ip nat enable

int WAN
ip nat enable
0
 
Sandeep GuptaConsultantCommented:
For Specific source to specific destination

ip access-list extended SPECIFIC_SRC_DEST
permit ip 192.168.61.0 0.0.0.255 172.16.61.0 0.0.0.255
permit ip 192.168.62.0 0.0.0.255 172.16.62.0 0.0.0.255
permit ip 192.168.67.0 0.0.0.255 172.16.67.0 0.0.0.255
permit ip any any

int WAN

ip access-group SPECIFIC_SRC_DEST in
ip access-group SPECIFIC_SRC_DEST out
0
 
DClaydenAuthor Commented:
Object-group commands are Cisco ASA and dont work on Cisco router IOS.
0
 
Sandeep GuptaConsultantCommented:
Who says..this is a live example running on one off my router

Cisco 2921
IOS: c2900-universalk9-mz.SPA.151-4.M1.bin

Did you try it?
0
 
DClaydenAuthor Commented:
My mistake IOS version didn't allow, just upgraded and this works.

However still no joy using the example above. I get no matches against the IPSEC access-lists when testing.
0
 
Sandeep GuptaConsultantCommented:
can you post your scribbled rnning config?
0
 
DClaydenAuthor Commented:
Got this working eventually but only NATting the traffic at the remote end.

Thanks
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
DClaydenAuthor Commented:
No other comments were correct.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.