03-01-2012 06:18 AM - edited 03-11-2019 03:37 PM
Hi All,
I need to set up site to site tunnel as my lan range is geeting conflict with far end.
we usually do nonat while configuring vpn.Now i need to nat the lan
assume my lan ip -10.10.x.x.
Public ip -----202.x.x.x.
can anyone send me the docuemts
03-01-2012 08:13 PM
Hi Prashant,
You should nat your lan subnet to a unused IP range and then use that natted IP range in the crypto access-list.
Example : If your lan is 10.10.10.0/24 and the remote subnet 20.20.20.0/24. 20.20.20.0/24 is again natted ip of the remote overlapping subnet (10.10.10.0/24)
nat to a unsed subnet say 11.11.11.0/24
static (inside,outside) 11.11.11.0 10.10.10.0 netmask 255.255.255.0
use the natted subnet in the crypto-accesslist
access-list crypto-acl extended permit ip 11.11.11.0 255.255.255.0 20.20.20.0 255.255.255.0
Do the same at remote end as well.
hope this is helpful.
Narayana
03-01-2012 10:12 PM
So i need to nat my lan with public ip and used that public ip in interseting traffic.
so what the nonat statement
03-01-2012 10:26 PM
Not to public IP. Nat it to some private Ip range which is not used in your network or remote network.
You do not need nonat statement as you are natting the traffic.
03-01-2012 10:32 PM
Hi Narayana
The think is all the private ip are geeting conflict so i need to nat with public ip
03-01-2012 10:40 PM
Hi Prashant,
Then try natting to some public IP range and use that in the crypto access-list.
03-02-2012 12:50 AM
Hi
Below is the interseting traffic which we have configured with nonat
access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0
access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0
access-list nonat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0
access-list nonat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0
Now due to some conflict i am natting my lan range with public ip as below and i will remove nonat statement does this config works
static (inside,outside) 202.x.x.x 172.x.x.x netmask 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0
access-list outside_3_cryptomap extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0
access-group outside_3_cryptomap in interface outside
03-02-2012 07:27 AM
Hi Prashant,
Please configure nat as below :
access-list nat extended permit ip 172.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0
access-list nat extended permit ip 172.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0
static (inside,outside) 202.x.x.x access-list nat
The crypto map access-list should contain the natted IP.
access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 10.x.x.0 255.255.192.0
access-list outside_3_cryptomap extended permit ip 202.x.x.x 255.255.255.128 192.x.x.0 255.255.192.0
Crypto access-list is only to identify the traffic to be tunnelled through VPN and so you need not apply it on outside interface. So you do not need the following line :
access-group outside_3_cryptomap in interface outside
And you should apply it in the crypto map
crypto map
Narayana
03-02-2012 09:42 PM
Thanks
03-03-2012 12:07 AM
Hi Narayana,
Is access-group nat in interface outside is required or not ? Can u explain me
03-04-2012 05:49 PM
Hi Prashant,
You do not require access-group command in this VPN setup. Access-group command is used to apply access-list on an interface. And access-lists are for traffic that goes through the device. In VPN, as the traffic gets tunnelled, you do not need that statement.
So access-group nat command is not required.
Narayana
03-04-2012 08:44 PM
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide