Solved

Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets

Posted on 2013-01-17
12
898 Views
Last Modified: 2013-03-28
Here's the problem

Network A - 10.0.0.0/8

Network B - 10.20.0.0/16

I'm trying to establish a VPN connection between the 2 networks but only providing access from and to a /24 on both ends IE

Using this article as a reference works in principle for one network.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

Network A:

10.20.7.0/24 > NAT 172.16.61.0/24

10.30.0.0/24 > NAT 172.16.62.0/24

10.50.1.0/24 > NAT 172.16.67.0/24

Network B:

Heres where I have trouble - I need to setup the cisco so that it NAT's the 10.20.20.0/24 range to different 192.168.0.0/24 rules based on the destination ie

NAT from 10.20.20.0/24 to 192.168.61.0/24 when destination is 172.16.61.0/24

NAT from 10.20.20.0/24 to 192.168.62.0/24 when destination is 172.16.62.0/24

NAT from 10.20.20.0/24 to 192.168.67.0/24 when destination is 172.16.67.0/24

Currently the VPN Phase 1 and 2 are connected and I can access individually the end network using the below command.

ip nat inside source static network 10.20.20.0 192.168.67.0 /24 no-alias

However I cannot add multiple static network translations for the same 10.20.20.0/24 network. Is this possible??
0
Comment
Question by:DClayden
  • 6
  • 5
12 Comments
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
for multiple network translation you need to use dynamic NAT
0
 
LVL 1

Author Comment

by:DClayden
Comment Utility
Can you explain how this can be done if I want to NAT the below networks?

10.20.20.0/24 - 192.168.60.0/24
10.20.20.0/24 - 192.168.61.0/24
10.20.20.0/24 - 192.168.67.0/24
0
 
LVL 1

Expert Comment

by:Xvidalx
Comment Utility
yes u can

find "policy static NAT" in this article , and see if helps\

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042478

if i understodd this will help u
0
 
LVL 1

Author Comment

by:DClayden
Comment Utility
Unfortunately the device in question is a Cisco 891 router so the ASA NAT config does not apply. I'm looking for an example config using router IOS.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
try this:
Remember this config will work on IOS 12.4 n above.

object-group network NAT_TO
range 192.168.60.0 192.168.60.255
range 192.168.61.0 192.168.61.255
range 192.168.67.0 192.168.67.255


ip nat source list OUTBOUND_NAT_1 interface <<WAN>> overload

ip access-list extended OUTBOUND_NAT_1
 permit ip 10.20.20.0 0.0.0.255 object-group NAT_TO

int LAN
ip nat enable

int WAN
ip nat enable
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
For Specific source to specific destination

ip access-list extended SPECIFIC_SRC_DEST
permit ip 192.168.61.0 0.0.0.255 172.16.61.0 0.0.0.255
permit ip 192.168.62.0 0.0.0.255 172.16.62.0 0.0.0.255
permit ip 192.168.67.0 0.0.0.255 172.16.67.0 0.0.0.255
permit ip any any

int WAN

ip access-group SPECIFIC_SRC_DEST in
ip access-group SPECIFIC_SRC_DEST out
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:DClayden
Comment Utility
Object-group commands are Cisco ASA and dont work on Cisco router IOS.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
Who says..this is a live example running on one off my router

Cisco 2921
IOS: c2900-universalk9-mz.SPA.151-4.M1.bin

Did you try it?
0
 
LVL 1

Author Comment

by:DClayden
Comment Utility
My mistake IOS version didn't allow, just upgraded and this works.

However still no joy using the example above. I get no matches against the IPSEC access-lists when testing.
0
 
LVL 9

Expert Comment

by:Sandeep Gupta
Comment Utility
can you post your scribbled rnning config?
0
 
LVL 1

Accepted Solution

by:
DClayden earned 0 total points
Comment Utility
Got this working eventually but only NATting the traffic at the remote end.

Thanks
0
 
LVL 1

Author Closing Comment

by:DClayden
Comment Utility
No other comments were correct.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now