09-13-2007 02:17 AM - edited 02-21-2020 01:40 AM
Hi,
I only have a basic VPN understanding and I'm in a bit of a mess...
The problem that I'm facing is that I have a client that has the same private ip subnet as myself. I understand that I need to perform NAT but the issue is that I want to perform NAT for one subnet for one client only, leaving all else the same.
Looking at the config (I have a 3640), I would think I need something like this:
interface Ethernet0/1
ip address x.x.x.x 255.255.255.0
ip nat inside
crypto map wwmap
route-map test permit 10
match ip address 110
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.28.0.0 0.0.255.255
ip nat inside source static 172.16.0.50 172.28.0.50 route-map test
Where 172.16.0.0/16 is the source subnet and 172.28.0.0/16 is what I want to NAT to. Also, I only have one host (172.16.0.50) that they need to access.
They will perform similar their end so I just see their 172.16.0.0/16 as its NATted address.
How to I ensure that no other NATting takes place? I assume as my config stands all else would fail?
Any help much appreciated. All articles I find assume that you want NAT to take place for all out going traffic but this is not the case.
Thank you,
J
Solved! Go to Solution.
09-14-2007 08:27 AM
Hi J
Apologies for delay in getting back.
You will need a "ip nat inside" on your inside interface and an "ip nat outside" on your outside interface.
No it will only effect the traffic you have included in your access-list.
Yes it should work for connections initiated from 192.168.0.0/24 clients.
No need to apologize, NAT is not one of the most obvious things to be honest.
Also, as with any changes you need to implement these out of hours if possible. What should work in theory often has a way of not in practice :)
Jon
09-13-2007 03:21 AM
Hi
Can you clarify.
Your source IP addresses: 172.16.0.0/16
You want to NAT these addresses to 172.28.0.0/16.
What addresses are the remote site presenting their 172.16.0.0/16 addresses as ?
Jon
09-13-2007 03:51 AM
Hi Jon,
Thanks for responding.
They will be presenting as 172.30.0.0/16.
I didn't include it as I assumed from my end I would just treat them as such...
Thank you,
J
09-13-2007 04:11 AM
Hi
1) Your clients accessing the remote end
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.30.0.0 0.0.255.255
ip nat pool NATPOOL 172.28.0.0 172.28.255.254 netmask 255.255.0.0
ip nat inside source list 110 pool NATPOOL
Your crypto access-list should look something like this
access-list vpntraffic permit ip 172.28.0.0 0.0.255.255 172.30.0.0 0.0.255.255
2) The individual server
access-list 111 permit ip host 172.16.0.50 host 172.28.0.50
ip nat inside source static 172.16.0.50 172.28.0.50 route_map nat_ip
route-map nat_ip permit 10
match ip address 111
NOTE: This will need testing. 172.16.0.50 is included in the 172.16.0.0 range so it might not get natted to the IP address you want.
HTH
Jon
09-14-2007 01:08 AM
Hi,
Thank you so much for your help, it's much appreciated!
Can I please pick your brain some more? I have had more clarification now - their 172.16.0.0/16 subnet will not be used to connect to us (it's more a routing issue for them), so no NAT is being performed their end.
We basically have 2 servers on that subnet that their users on subnet 192.168.1.0/24 will be contacting, and that is all.
So, I think that your point 1 is probably not required here?...this is my revised configuration after studying point 2 -
#to allow their subnet to access the NATted subnet
access-list 111 permit 192.168.1.0 0.0.0.255 172.28.0.0 0.0.255.255
#staic NAT for each server
ip nat inside source static 172.16.0.50 172.28.0.50 route_map nat_ip
ip nat inside source static 172.16.0.100 172.28.0.100 route_map nat_ip
#route map
route-map nat_ip permit 10
match ip address 111
Do I need a ip nat inside on my inside interface? And if so, will this have an affect on the rest of the traffic that's not being NATted?
Also, will this work now for calls from 192.168.0.0/24 coming into our servers?
Many thanks, I'm sorry if this is really obvious!!!
J
09-14-2007 08:27 AM
Hi J
Apologies for delay in getting back.
You will need a "ip nat inside" on your inside interface and an "ip nat outside" on your outside interface.
No it will only effect the traffic you have included in your access-list.
Yes it should work for connections initiated from 192.168.0.0/24 clients.
No need to apologize, NAT is not one of the most obvious things to be honest.
Also, as with any changes you need to implement these out of hours if possible. What should work in theory often has a way of not in practice :)
Jon
09-17-2007 06:34 AM
Hi Jon,
Well... I've implemented the changes (out of hours!) and it all works!
Thank you so much for all of your help - I would have been stuck without you so it's very much appreciated.
J
09-17-2007 06:36 AM
J
Glad to have helped. Thanks for getting back and appreciate the rating.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide