Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
0
Helpful
4
Replies

IPSEC with overlapping NAT

Go to solution
Reedik Leitsar
Level 1
Level 1

‎09-28-2011 10:45 AM - edited ‎03-04-2019 01:45 PM

Dear all,

I'm struggeling with IPSEC with overlapping nat. VPN works perfectly, but site A can not connect to internet (site B does not need internet). I have tried route maps , but nothing seems to work.

Here is my configuration. I did not but all of it but some chuncks.

Site A

External 195.222.19.93

internal 192.168.0.0

NATed to 192.168.11.0

Site B

External 195.222.19.92

internal 192.168.0.0

NATed to 192.168.10.0

ip access-list extended VPN

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.2

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.3

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.4

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.5

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.6

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.7

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.17

permit ip 192.168.11.0 0.0.0.255 host 192.168.10.18

ip nat inside source route-map WAN interface GigabitEthernet0/0 overload

ip nat inside source route-map 3G interface Cellular0/0/0 overload

ip nat inside source route-map VPN_nat_acl interface GigabitEthernet0/0 overload

ip nat inside source static network 192.168.0.0 192.168.11.0 /24

route-map track-primary-if permit 1

match ip address 100

set interface GigabitEthernet0/0 Null0

!

route-map VPN_nat_acl permit 10

match ip address VPN_acl

ip access-list extended VPN_acl

permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

route-map WAN permit 10

match ip address 1

match interface GigabitEthernet0/0

!

!

route-map 3G permit 10

match ip address 1

match interface Cellular0/0/0route-map track-primary-if permit 1

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
skarthic
Cisco Employee
Cisco Employee
In response to Reedik Leitsar

‎09-28-2011 03:32 PM

So the Gig0/0 is your primary connection.

As requested earlier, can you post "show ip nat trans" after trying few pings to a public IP from the inside IP . Would like to check what is the internet traffic getting NATtd to.

Thanks.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
skarthic
Cisco Employee
Cisco Employee

‎09-28-2011 01:07 PM

Can you post what is ACL 1.  Can you also post "show ip nat trans" o/p once you try to ping a public IP in intenet.

I guess the command " ip nat inside source static network 192.168.0.0 192.168.11.0 /24 " is conflicting and even NATting your internet traffic too.

Is there any other device in front of this router towards the internet.

Thanks.

0 Helpful

Go to solution
Reedik Leitsar
Level 1
Level 1
In response to skarthic

‎09-28-2011 02:56 PM

acl 1 is

access-list 1 permit 192.168.0.0 0.0.0.255

default routes :

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 1

ip route 0.0.0.0 0.0.0.0 195.222.19.94

ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253

In front is ISP router with IP 195.222.19.94

0 Helpful

Go to solution
skarthic
Cisco Employee
Cisco Employee
In response to Reedik Leitsar

‎09-28-2011 03:32 PM

So the Gig0/0 is your primary connection.

As requested earlier, can you post "show ip nat trans" after trying few pings to a public IP from the inside IP . Would like to check what is the internet traffic getting NATtd to.

Thanks.

0 Helpful

Go to solution
Reedik Leitsar
Level 1
Level 1
In response to skarthic

‎09-28-2011 03:48 PM

hey,

Yes that right and i found the error, i wanted to nat whole network, but with cisco 1941 you can nat only statically one IP at time.

Thanks that you took the time to look at my quesstion

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card