Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3455
Views
0
Helpful
2
Replies

Double NAT example

0sgruttadauria
Level 1
Level 1

‎10-12-2001 12:48 PM - edited ‎03-08-2019 08:52 PM

I need to set up an IPSEC tunnel between two devices.

The networks on each side of the tunnel use the same address space (two different companies though).

Anyone have a good configuration example on how you would accomplish this with NAT.

e-Mail to steveg@rochester.rr.com or post here

Thanks.

Labels:
0 Helpful
2 Replies 2

smalkeric
Level 6
Level 6

‎10-22-2001 08:35 AM

What two devices? Cisco routers?

0 Helpful

ddawson
Level 1
Level 1

‎11-02-2001 05:04 PM

I think this ought to do what you want (see below). I started with working router configs and cut out the extraneous stuff. Both the routers have local LAN networks of 192.168.0.0/24 and are set to use 10.1.1.0/24 and 10.2.2.0/24, respectively, with NAT. As long as your access-list in the crypto map refers to the 10.x.x.0 addresses, it all ought to work.

Good luck!

----- Router 1 -----

version 12.0

!

hostname ROUTER_1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

!

crypto isakmp key CISCO1234 address 2.2.2.2

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto map CRYMAP 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set MYSET

match address 101

!

interface FastEthernet0

description LAN interface

ip address 192.168.0.1 255.255.255.0

ip nat inside

!

interface Serial0

description WAN interface

ip address 1.1.1.1 255.255.255.252

ip nat outside

crypto map CRYMAP

!

ip nat inside source static network 192.168.0.0 10.1.1.0 /24 no-alias

!

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 Serial0

!

end

----- Router 2 -----

version 12.0

!

hostname ROUTER_2

!

crypto isakmp policy 1

encr 3des

authentication pre-share

!

crypto isakmp key CISCO1234 address 1.1.1.1

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto map CRYMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address 101

!

interface FastEthernet0

description LAN interface

ip address 192.168.0.1 255.255.255.0

ip nat inside

!

interface Serial0

description WAN interface

ip address 2.2.2.2 255.255.255.252

ip nat outside

crypto map CRYMAP

!

ip nat inside source static network 192.168.0.0 10.2.2.0 /24 no-alias

!

access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

ip classless

!

ip route 0.0.0.0 0.0.0.0 Serial0

!

end

0 Helpful
Customers Also Viewed These Support Documents