My company just acquired another organization and they have the same subnet as another recent acquisition. I have a tunnel interface configured on their 1921 router (running 15.2) to my firewall and I can ping through to the tunnel's IP from HQ and vice versa. The problem is that I cannot reach the LAN since there is another VPN tunnel at HQ using 192.168.1.0/24. Is there a way on a 1921 to apply a NAT statement to essentially masquerade the subnet so at HQ it looks like 172.16.131.0/24 instead of 192.168.1.0/24? I would need to do this on the router since my Palo Alto firewall cannot NAT the destination coming into HQ. At the same time the router is being used for Internet access with a NAT pool. I have attached the config below if anyone has any ideas.
hostname GSDN-RTR1
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 ************
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
ip name-server 207.230.75.50
ip name-server 207.230.75.34
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX175080LL
!
!
!
redundancy
!
!
!
!
!
lldp run
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ************ address 198.199.129.150
!
!
crypto ipsec transform-set Corp-TS esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile Corp-IPSec
set transform-set Corp-TS
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.95.130 255.255.255.252
tunnel source 209.16.244.14
tunnel mode ipsec ipv4
tunnel destination 198.199.129.150
tunnel protection ipsec profile Corp-IPSec
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 10
rj45-auto-detect-polarity disable
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
service-module t1 timeslots 1-24
cdp enable
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description Acquisition WAN
ip address 209.16.244.14 255.255.255.248 secondary
ip address 10.22.5.74 255.255.255.252
ip access-group 107 in
ip nat outside
ip virtual-reassembly in
frame-relay interface-dlci 100 IETF
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool nat 209.16.244.9 209.16.244.9 netmask 255.255.255.248
ip nat inside source list 1 pool nat overload
ip nat inside source static 192.168.1.100 209.16.244.10
ip nat inside source static 192.168.1.101 209.16.244.11
ip route 0.0.0.0 0.0.0.0 10.22.5.73
ip route 10.50.1.0 255.255.255.0 172.16.95.129
ip route 172.16.0.0 255.255.240.0 172.16.95.129
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 107 permit tcp any any established
access-list 107 permit tcp host 97.73.172.178 host 209.16.244.10
access-list 107 permit tcp host 97.73.172.178 host 209.16.244.11
access-list 107 permit tcp host 98.83.70.197 host 209.16.244.11
access-list 107 permit tcp host 98.83.70.197 host 209.16.244.10
access-list 107 permit tcp host 71.8.40.69 host 209.16.244.10
access-list 107 deny ip any host 209.16.244.10
access-list 107 deny ip any host 209.16.244.11
access-list 107 permit ip any any
!
!
snmp-server community ITC-Public RO
snmp-server enable traps entity-sensor threshold
!
control-plane
!
!
!
line con 0
exec-timeout 15 0
password 7 ************
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 ************
login
transport input all
line vty 5 15
password 7 ************
login
transport input all
!
scheduler allocate 20000 1000
!
end
