?
Solved

Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets

Posted on 2013-01-17
12
Medium Priority
?
919 Views
Last Modified: 2013-03-28
Here's the problem

Network A - 10.0.0.0/8

Network B - 10.20.0.0/16

I'm trying to establish a VPN connection between the 2 networks but only providing access from and to a /24 on both ends IE

Using this article as a reference works in principle for one network.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Network A:

10.20.7.0/24 > NAT 172.16.61.0/24

10.30.0.0/24 > NAT 172.16.62.0/24

10.50.1.0/24 > NAT 172.16.67.0/24

Network B:

Heres where I have trouble - I need to setup the cisco so that it NAT's the 10.20.20.0/24 range to different 192.168.0.0/24 rules based on the destination ie

NAT from 10.20.20.0/24 to 192.168.61.0/24 when destination is 172.16.61.0/24

NAT from 10.20.20.0/24 to 192.168.62.0/24 when destination is 172.16.62.0/24

NAT from 10.20.20.0/24 to 192.168.67.0/24 when destination is 172.16.67.0/24

Currently the VPN Phase 1 and 2 are connected and I can access individually the end network using the below command.

ip nat inside source static network 10.20.20.0 192.168.67.0 /24 no-alias

However I cannot add multiple static network translations for the same 10.20.20.0/24 network. Is this possible??
0
Comment
Question by:DClayden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38787197
for multiple network translation you need to use dynamic NAT
0
 
LVL 1

Author Comment

by:DClayden
ID: 38787220
Can you explain how this can be done if I want to NAT the below networks?

10.20.20.0/24 - 192.168.60.0/24
10.20.20.0/24 - 192.168.61.0/24
10.20.20.0/24 - 192.168.67.0/24
0
 
LVL 1

Expert Comment

by:Xvidalx
ID: 38788531
yes u can

find "policy static NAT" in this article , and see if helps\

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042478

if i understodd this will help u
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:DClayden
ID: 38792132
Unfortunately the device in question is a Cisco 891 router so the ASA NAT config does not apply. I'm looking for an example config using router IOS.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38792611
try this:
Remember this config will work on IOS 12.4 n above.

object-group network NAT_TO
range 192.168.60.0 192.168.60.255
range 192.168.61.0 192.168.61.255
range 192.168.67.0 192.168.67.255


ip nat source list OUTBOUND_NAT_1 interface <<WAN>> overload

ip access-list extended OUTBOUND_NAT_1
 permit ip 10.20.20.0 0.0.0.255 object-group NAT_TO

int LAN
ip nat enable

int WAN
ip nat enable
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38792647
For Specific source to specific destination

ip access-list extended SPECIFIC_SRC_DEST
permit ip 192.168.61.0 0.0.0.255 172.16.61.0 0.0.0.255
permit ip 192.168.62.0 0.0.0.255 172.16.62.0 0.0.0.255
permit ip 192.168.67.0 0.0.0.255 172.16.67.0 0.0.0.255
permit ip any any

int WAN

ip access-group SPECIFIC_SRC_DEST in
ip access-group SPECIFIC_SRC_DEST out
0
 
LVL 1

Author Comment

by:DClayden
ID: 38793041
Object-group commands are Cisco ASA and dont work on Cisco router IOS.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38793057
Who says..this is a live example running on one off my router

Cisco 2921
IOS: c2900-universalk9-mz.SPA.151-4.M1.bin

Did you try it?
0
 
LVL 1

Author Comment

by:DClayden
ID: 38793410
My mistake IOS version didn't allow, just upgraded and this works.

However still no joy using the example above. I get no matches against the IPSEC access-lists when testing.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
ID: 38798803
can you post your scribbled rnning config?
0
 
LVL 1

Accepted Solution

by:
DClayden earned 0 total points
ID: 39014333
Got this working eventually but only NATting the traffic at the remote end.

Thanks
0
 
LVL 1

Author Closing Comment

by:DClayden
ID: 39028099
No other comments were correct.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question