cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1081
Views
0
Helpful
2
Replies

IPsec over two NAT routers

Azlord_Cisco
Level 1
Level 1

Hello,

 

I am creating a lab network that has NAT and an IPsec tunnel.

 

Since implementing NAT both on a packet tracer activity and physical equipment, I have encountered issues with communication over the tunnel. Prior to applying NAT, I was able to ping the opposite end of the tunnel and communicate between client machines. Although the tunnel is up, I am unable to get communication though it. I have tried several iterations and troubleshooting steps, yet the reason why it doesn't work as expected currently remains a mystery to me.

 

I have attached a topology of the network with router configurations for inspection (the public IP addresses are randomly selected). Any assistance would be greatly appreciated.

 

Cheers,

Az

 

1 Accepted Solution

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Az

 

If I understand correctly the VPN worked befoere the nat was added and broke when the nat was configured. So I have not looked closely at the general config and concentrated on the nat configuration. I believe that the configuration of nat on CBR-GW is done correctly which each ACL to control nat specifies a single source subnet (for example 192.168.0.0/22) and specifies multiple destination subnets. However the configuration of nat on SYD-GW is different and I believe that this is the issue. In the ACL to control nat on SYD the ACL specifies multiple source subnets and a single destination subnet. I believe that if you correct the ACLs for nat on SYD that your vpn should work.

 

HTH

 

Rick 

HTH

Rick

View solution in original post

2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

Az

 

If I understand correctly the VPN worked befoere the nat was added and broke when the nat was configured. So I have not looked closely at the general config and concentrated on the nat configuration. I believe that the configuration of nat on CBR-GW is done correctly which each ACL to control nat specifies a single source subnet (for example 192.168.0.0/22) and specifies multiple destination subnets. However the configuration of nat on SYD-GW is different and I believe that this is the issue. In the ACL to control nat on SYD the ACL specifies multiple source subnets and a single destination subnet. I believe that if you correct the ACLs for nat on SYD that your vpn should work.

 

HTH

 

Rick 

HTH

Rick

I am glad that my response pointed you toward the solution to this question. Thank you for marking this question as solved. This will help other readers in the forum to identify discussions that have helpful information. These forums are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the forums.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card