davidgeeee
asked on
ipsec vpn with nat overlap
I have a situation where I need to NAT my end of a VPN tunnel because the folks on the other end of the tunnel already have a tunnel to a network with the same IP scheme as my local network. So their local network is 172.16.254.0 and mine is 192.168.1.0. They have set up their tunnel to use 192.168.101.0 as the remote network. So I have been racking my brain how to do NAT translation for any thing to and from the tunnel. By the way my router is a Cisco 1812 and the examples I found on the internet don't seem to apply to the IOS I have, which is c181x-advipservicesk9-mz.1
I found one reference that says the command " ip nat source static <networkobject> <networkobject> destination static <networkobject> " Have setup the three network objects, one for remote network, one for local network and one for the local mapped network (192.168.101.0). I do not get the opportunity to enter the "destination static" part.
Hopefully someone has some tips as I have three more locations where this needs to be done.
I found one reference that says the command " ip nat source static <networkobject> <networkobject> destination static <networkobject> " Have setup the three network objects, one for remote network, one for local network and one for the local mapped network (192.168.101.0). I do not get the opportunity to enter the "destination static" part.
Hopefully someone has some tips as I have three more locations where this needs to be done.
ASKER
Thanks I will read up on the topic and report back...
ASKER
I am only a CCNA so might need some guidance
You setup tunnel to use 192.168.101.0 as the remote network.
You need to create route-map for interesting traffic.
Let's assume that telnet traffic need to go through tunnel.
!create access-list for telnet traffic
!
access-list 100 permit tcp any any eq 23
!
!create route-map for policy based routing
!
route-map TRAFFIC_FOR_TUNNEL permit 10 <-- case sensitive
match ip address 100 <-- what is in access-list 100 need to go to
set ip next-hop 192.168.101.X <-- ip address of tunnel far end
route-map TRAFFIC_FOR_TUNNEL permit 20 <-- if there are no match statement -- any other IP address and no set command -- route as usual
!
!under interface for INCOMING traffic
!
interface fa0/0
ip policy route-map TRAFFIC_FOR_TUNNEL
so now when you telnet to any location you are redirected through tunnel :)
also you should add tunnel network to routing protocol
You need to create route-map for interesting traffic.
Let's assume that telnet traffic need to go through tunnel.
!create access-list for telnet traffic
!
access-list 100 permit tcp any any eq 23
!
!create route-map for policy based routing
!
route-map TRAFFIC_FOR_TUNNEL permit 10 <-- case sensitive
match ip address 100 <-- what is in access-list 100 need to go to
set ip next-hop 192.168.101.X <-- ip address of tunnel far end
route-map TRAFFIC_FOR_TUNNEL permit 20 <-- if there are no match statement -- any other IP address and no set command -- route as usual
!
!under interface for INCOMING traffic
!
interface fa0/0
ip policy route-map TRAFFIC_FOR_TUNNEL
so now when you telnet to any location you are redirected through tunnel :)
also you should add tunnel network to routing protocol
ASKER
So, let me try,
access-list 123 permit ip any 172.16.254.0 0.0.0.255
!should the above be referencing the network on the far end of the tunnel
!
!
route-map TRAFFIC_FOR_TUNNEL permit 10
Match ip address 123
set up next-hop 172.16.254.1
Okay still confused. The router on the other end of the tunnel has a VPN tunnel set to 172.16.254.0 as local and 192.168.101.0 as remote. On my end I have a tunnel from 192.168.1.0 local to 172.16.254.0 remote. Will this route-map work? Do I need to change my tunnel networks?
Many computers on my end need to access a few IPs on the 172.16.254.0 network. So, I thought I would have to NAT 192.168.1.0 to 192.168.101.0 to make this work...
access-list 123 permit ip any 172.16.254.0 0.0.0.255
!should the above be referencing the network on the far end of the tunnel
!
!
route-map TRAFFIC_FOR_TUNNEL permit 10
Match ip address 123
set up next-hop 172.16.254.1
Okay still confused. The router on the other end of the tunnel has a VPN tunnel set to 172.16.254.0 as local and 192.168.101.0 as remote. On my end I have a tunnel from 192.168.1.0 local to 172.16.254.0 remote. Will this route-map work? Do I need to change my tunnel networks?
Many computers on my end need to access a few IPs on the 172.16.254.0 network. So, I thought I would have to NAT 192.168.1.0 to 192.168.101.0 to make this work...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can only control settings on my router, the network people on the other end of the tunnel have "hundreds" of tunnels like this and are unwilling to change their system.
Last week I set up an ASA 5505 to work with their tunnel at another location. Here is the config parts that worked:
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
access-list outside_cryptomap extended permit ip 10.0.5.0 255.255.255.0 172.16.254.0 255.255.255.0
!
access-list SMRS extended permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
!
static (inside,outside) 10.0.5.0 access-list SMRS
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
!
In this case my network was 10.0.0.0 and they force me to NAT to 10.0.5.0. Unfortunately these command are not available on the 1812 router.
I like the hammer analogy, Predrag!! And thank you for helping!
Last week I set up an ASA 5505 to work with their tunnel at another location. Here is the config parts that worked:
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
access-list outside_cryptomap extended permit ip 10.0.5.0 255.255.255.0 172.16.254.0 255.255.255.0
!
access-list SMRS extended permit ip 10.0.0.0 255.255.255.0 172.16.254.0 255.255.255.0
!
static (inside,outside) 10.0.5.0 access-list SMRS
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
!
In this case my network was 10.0.0.0 and they force me to NAT to 10.0.5.0. Unfortunately these command are not available on the 1812 router.
I like the hammer analogy, Predrag!! And thank you for helping!
ASKER
Took a long time for me to figure it out but these are the commands need to create the Route-Map that
Predrag Jovic Suggested.
ip access-list ext 150
permit ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255
ip nat pool NAT-POOL 192.168.101.0 192.168.101.255 netmask 255.255.255.0 type match-host
route-map static-vpn
match ip address 150
ip nat inside source route-map static-vpn pool NAT-POOL reversible
Predrag Jovic Suggested.
ip access-list ext 150
permit ip 192.168.1.0 0.0.0.255 172.16.254.0 0.0.0.255
ip nat pool NAT-POOL 192.168.101.0 192.168.101.255 netmask 255.255.255.0 type match-host
route-map static-vpn
match ip address 150
ip nat inside source route-map static-vpn pool NAT-POOL reversible
http://www.cisco.com/c/en/us/td/docs/ios/12_2/qos/configuration/guide/fqos_c/qcfpbr.html