Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3479
Views
10
Helpful
4
Replies

IKEv2 site to site vpn with nat on Cisco ISR

Go to solution
mihai.vasc
Level 1
Level 1

‎06-16-2020 08:46 AM

Hello all,

I have to configure an IKEv2 site to site vpn on a Cisco ISR. So far everything ok.

The problem is that I cannot use internal IP subnets as they are overlapping with the remote ones. I want to configure NAT for this vpn and to translate traffic before sending it over the vpn, to one specific private IP that is not overlapping .

Can someone help with a template config or documentation for this?

 

I know how would look like on ASA but not on ISR.

Thanks in advance!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎06-16-2020 09:24 AM

Hello,

 

you need a NAT pool and policy NAT involving a route map. Have a look at the document below (it is for IKEv1, but v2 should be similar), or post the running configuration of your routers, so we can fill in the necessary bits and pieces...

 

https://www.booches.nl/2009/01/policy-nat-on-cisco-router/

 

 

View solution in original post

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎06-16-2020 10:11 AM

Hi,

This link will help you more: https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

4 Replies 4

Go to solution
Georg Pauwen
VIP
VIP

‎06-16-2020 09:24 AM

Hello,

 

you need a NAT pool and policy NAT involving a route map. Have a look at the document below (it is for IKEv1, but v2 should be similar), or post the running configuration of your routers, so we can fill in the necessary bits and pieces...

 

https://www.booches.nl/2009/01/policy-nat-on-cisco-router/

 

 

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎06-16-2020 10:11 AM

Hi,

This link will help you more: https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/107992-IOSRouter-overlapping.html

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
mihai.vasc
Level 1
Level 1

‎06-16-2020 11:37 AM - edited ‎06-16-2020 01:39 PM

This is the current config without NAT. Any help please to make NAT work in this case?

 

IKEv2 configuration looks like:

!!!

crypto ikev2 proposal PROPOSAL
encryption aes-cbc-256
integrity sha256
group 16
!
crypto ikev2 policy POL_IKEv2
proposal PROPOSAL
!
crypto ikev2 keyring KEYRING
peer PEER
address A.B.C.D
pre-shared-key local ***
pre-shared-key remote ***
!
crypto ikev2 profile PROFILE
match identity remote address A.B.C.D 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map CMAP 36 ipsec-isakmp
set peer A.B.C.D
set security-association lifetime seconds 3600
set transform-set TS
set ikev2-profile PROFILE
match address ACL
!
interface GigabitEthernet0/0/0
description WAN
crypto map CMAP
!
interface GigabitEthernet0/0/1
description LAN
!
ip access-list extended ACL
permit ip host 192.168.186.0 0.0.0.255 10.1.1.0 0.0.0.255
!

0 Helpful

Go to solution
mihai.vasc
Level 1
Level 1
In response to mihai.vasc

‎06-17-2020 12:05 PM

So applying the ikev1 solutions seems to work just fine. Additional lines of config:

 

ip nat pool INSIDE_GLOBAL_SUBNET 192.168.186.2 192.168.186.251 netmask 255.255.255.0
ip nat inside source list TRAFFIC_TO_BE_TRANSLATED pool INSIDE_GLOBAL_SUBNET overload

!

ip access-list extended TRAFFIC_TO_BE_TRANSLATED
  permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255

Thanks for your help

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card