How to configure nat across vpn tunnel?

Simon Bown · ‎12-17-2013

I have set up a VPN ipsec tunnel to a customer for a proof of concept.

Our server address is 172.0.0.167 but they want to 'see' our server as 172.29.63.5. I have set up static NAT so they see the address they want.

As this NATed address needs to go across the tunnel I am unsure how to set up the config. I am using a 1841 router and no firewall.

Below is what I have tried but quite sure it is not correct as it doesn't seem to work. The tunnel comes up and NAT translations can be seen but do not show the desired addresses.

Router#sh ip nat tran

Pro Inside global Inside local Outside local Outside global

icmp 172.29.63.5:1 172.0.0.167:1 192.168.0.10:1 192.168.0.10:1

tcp 172.29.63.5:51272 172.0.0.167:51272 192.168.0.15:80 192.168.0.15:80

tcp 172.29.63.5:51273 172.0.0.167:51273 192.168.0.100:5501 192.168.0.100:5501

tcp 172.29.63.5:51274 172.0.0.167:51274 192.168.0.100:5501 192.168.0.100:5501

Any help is greatly appreciated.

ip nat pool POOL1 89.21.228.173 89.21.228.173 netmask 255.255.255.192

ip nat inside source list 7 pool POOL1

ip nat inside source static 172.0.0.167 172.29.63.5

!

access-list 7 permit 172.0.0.0 0.0.0.255

access-list 7 permit 172.31.0.0 0.0.63.255

access-list 7 permit 172.29.0.0 0.0.63.255

Simon Bown · ‎01-07-2014

Hello,

I still have a problem. Is there anyone who can help?

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 5

crypto isakmp key All address 194.154.190.*

!

crypto ipsec transform-set Router-IPSEC esp-aes 256 esp-sha-hmac

!

crypto map ADAM_CMAP_1 1 ipsec-isakmp

description Tunnel to Test

set peer 194.154.190.*

set transform-set Router-IPSEC

set pfs group5

match address 100

!

interface Loopback1

ip address 172.29.63.0 255.255.192.0

!

interface FastEthernet0/0

ip address 89.21.228.173 255.255.255.192

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map ADAM_CMAP_1

!

interface FastEthernet0/1

ip address 172.0.0.224 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 172.31.0.0 255.255.192.0 89.21.228.129

ip route 172.31.37.175 255.255.255.255 89.21.228.129

ip route 172.31.38.132 255.255.255.255 89.21.228.129

ip route 172.31.38.230 255.255.255.255 89.21.228.129

ip route 194.154.190.* 255.255.255.255 89.21.228.129

!

ip http server

ip http authentication local

ip http secure-server

ip nat pool allianz 172.29.63.5 172.29.63.5 netmask 255.255.192.0

ip nat inside source list 107 pool all

ip nat inside source route-map ALL interface FastEthernet0/0 overload

ip nat inside source static 172.0.0.167 172.29.63.5

!

ip access-list extended NAT

deny ip host 172.0.0.167 172.31.0.0 0.0.63.255

permit ip 172.0.0.0 0.0.0.255 any

permit ip host 172.0.0.167 172.31.0.0 0.0.63.255

permit ip host 172.29.63.5 any

permit ip host 172.0.0.167 any

permit ip any host 172.0.0.167

permit ip any host 172.29.63.5

!

access-list 100 permit ip 172.31.0.0 0.0.63.255 172.29.0.0 0.0.63.255

access-list 100 permit ip any host 172.29.63.5

access-list 100 permit ip 172.29.0.0 0.0.63.255 any

access-list 107 permit ip host 172.0.0.167 172.31.0.0 0.0.63.255

!

route-map ALL permit 10

match ip address NAT

Jon Marshall · ‎01-07-2014

Simon

You have a number of NAT statements, are they all needed ?

What are the remote IPs at the other end of the VPN tunnel ?

Jon

Simon Bown · ‎01-14-2014

Hello Jon,

Thanks for your reply.

I have found that the problem was caused by the firewall at our customer's site.