topic TO nat public ip in vpn in Network Security

TO nat public ip in vpn

prashantrecon — Mon, 11 Mar 2019 22:37:26 GMT

Hi All,

I need to set up site to site tunnel as my lan range is geeting conflict with far end.

we usually do nonat while configuring vpn.Now i need to nat the lan

assume my lan ip -10.10.x.x.

Public ip -----202.x.x.x.

can anyone send me the docuemts

TO nat public ip in vpn

V S Narayana Chivukula — Fri, 02 Mar 2012 04:13:20 GMT

Hi Prashant,

You should nat your lan subnet to a unused IP range and then use that natted IP range in the crypto access-list.

Example : If your lan is 10.10.10.0/24 and the remote subnet 20.20.20.0/24. 20.20.20.0/24 is again natted ip of the remote overlapping subnet (10.10.10.0/24)

nat to a unsed subnet say 11.11.11.0/24

static (inside,outside) 11.11.11.0 10.10.10.0 netmask 255.255.255.0

use the natted subnet in the crypto-accesslist

access-list crypto-acl extended permit ip 11.11.11.0 255.255.255.0 20.20.20.0 255.255.255.0

Do the same at remote end as well.

hope this is helpful.

Narayana

TO nat public ip in vpn

prashantrecon — Fri, 02 Mar 2012 06:12:01 GMT

So i need to nat my lan with public ip and used that public ip in interseting traffic.

so what the nonat statement

TO nat public ip in vpn

V S Narayana Chivukula — Fri, 02 Mar 2012 06:26:39 GMT

Not to public IP. Nat it to some private Ip range which is not used in your network or remote network.

You do not need nonat statement as you are natting the traffic.

TO nat public ip in vpn

prashantrecon — Fri, 02 Mar 2012 06:32:58 GMT

Hi Narayana

The think is all the private ip are geeting conflict so i need to nat with public ip

TO nat public ip in vpn

V S Narayana Chivukula — Fri, 02 Mar 2012 06:40:00 GMT

Hi Prashant,

Then try natting to some public IP range and use that in the crypto access-list.

TO nat public ip in vpn

prashantrecon — Fri, 02 Mar 2012 08:50:51 GMT

Below is the interseting traffic which we have configured with nonat

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nonat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nonat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

Now due to some conflict i am natting my lan range with public ip as below and i will remove nonat statement does this config works

static (inside,outside) 202.x.x.x 172.x.x.x netmask 255.255.255.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-group outside_3_cryptomap in interface outside

TO nat public ip in vpn

V S Narayana Chivukula — Fri, 02 Mar 2012 15:27:02 GMT

Hi Prashant,

Please configure nat as below :

access-list nat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

access-list nat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

static (inside,outside) 202.x.x.x access-list nat

The crypto map access-list should contain the natted IP.

access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0

access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0

Crypto access-list is only to identify the traffic to be tunnelled through VPN and so you need not apply it on outside interface. So you do not need the following line :

access-group outside_3_cryptomap in interface outside

And you should apply it in the crypto map

crypto map match address outside_3_cryptomap

Narayana

TO nat public ip in vpn

prashantrecon — Sat, 03 Mar 2012 05:42:47 GMT

Thanks

TO nat public ip in vpn

prashantrecon — Sat, 03 Mar 2012 08:07:50 GMT

Hi Narayana,

Is access-group nat in interface outside is required or not ? Can u explain me

TO nat public ip in vpn

V S Narayana Chivukula — Mon, 05 Mar 2012 01:49:35 GMT

Hi Prashant,

You do not require access-group command in this VPN setup. Access-group command is used to apply access-list on an interface. And access-lists are for traffic that goes through the device. In VPN, as the traffic gets tunnelled, you do not need that statement.

So access-group nat command is not required.

Narayana

TO nat public ip in vpn

prashantrecon — Mon, 05 Mar 2012 04:44:37 GMT

Thank you