Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
4
Replies

NAT issue and VPN

Tazio4436
Level 1
Level 1

‎06-17-2019 09:12 AM

Hi everyone,

I have 2 sites.

Site one (1) is the old site.

Site two (2) is the new site.

Both sites are operational.

Site 1 has a Cisco 2911 doing the VPN to site 2 and at the same time doing NAT.

Site 1 has the CUCM.

Site 2 has a Meraki doing VPN to site one.

Right now all the cisco ip phones on site 1 and site 2 get an ip address of 10.88.X.X

The ip address scheme for site 2 is 10.35.X.X but we are changing it to 10.21.X.X.

I have been working on this since some time and with the help of this forum everything seems to be working in a test environment with network 10.21.X.X.

The only thing i did not test is the phone as I know I will have to change some of the configurations in Site 1.

I am adding the configurations of Cisco 2911 where the VPN and Natting is done.

216.123.3.30--->Is the Ip address of the WAN interface facing the ISP

216.123.3.17--->is the default GW for Site 1

184.94.68.98--->Is the IP address of the Meraki on site 2

My question are as follows:

(1)As site 2 has 2 network now .10.35.X.X is in production and working fine and 10.21.X.X which is in TEST environment and is not connected to 10.35.X.X in anyways, can I create a VPN from the Meraki in Network 10.21.X.X to Cisco 2911 at site one? This will means that I will have 2 VPN from site 2 to site 1?

(2)Looking at the configuration on Cisco 2911 on site 1 , how can I create a VPN to site 2 where there is a test Meraki with ip address 38.32.57.158 and Network is 10.21.X.X and how to do the Natting on Cisco2911.

(3)

crypto keyring VPN-Meraki
    pre-shared-key address 184.94.68.98 key lmn123

!

crypto isakmp profile VPN_565-Meraki
keyring VPN-Meraki

!

crypto map remap 1 ipsec-isakmp
set peer 184.94.68.98
set security-association lifetime seconds 28800
set transform-set VPN-MY-Meraki
set isakmp-profile VPN_565-Meraki
match address NETWORK_88-565
reverse-route
crypto map remap 10 ipsec-isakmp dynamic remap

!

ip access-list extended NETWORK_88-565
permit ip 10.88.0.0 0.0.0.255 10.35.8.0 0.0.3.255
permit ip 10.88.0.0 0.0.0.255 10.35.0.0 0.0.3.255
permit ip 10.88.0.0 0.0.0.255 10.35.16.0 0.0.3.255
permit ip 10.88.0.0 0.0.0.255 10.35.40.0 0.0.3.255
permit ip 10.88.0.0 0.0.0.255 10.35.48.0 0.0.3.255
permit ip 10.88.0.0 0.0.0.255 10.35.64.0 0.0.3.255
permit ip 192.168.1.0 0.0.0.255 10.35.8.0 0.0.3.255
permit ip 192.168.1.0 0.0.0.255 10.35.0.0 0.0.3.255
permit ip 192.168.1.0 0.0.0.255 10.35.40.0 0.0.3.255
permit ip 192.168.1.0 0.0.0.255 10.35.48.0 0.0.3.255
permit ip 192.168.1.0 0.0.0.255 10.35.64.0 0.0.3.255

 

Can someone please help.

Again i don't want to remove the network 10.35.X.x but instead I just want to add 10.21.X.x which is a completely independent network.

Thanks in adnvance

Tazio


match identity address 184.94.68.98 255.255.255.255



 

Labels:
Preview file
15 KB
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎06-17-2019 01:31 PM

Hello,

 

I cannot tell from what you are describing if you have one or two (production and test) Merakis at site 2 ? Either way, you can use the same local peer on the 2911 to build two separate VPNs, one to the production, and one to the test Meraki. All you need to do is add a second crypto map, specifying the test network remote peer, and change the access list to reflect the test network LAN (10.21.xx.)...

0 Helpful

Tazio4436
Level 1
Level 1
In response to Georg Pauwen

‎06-18-2019 11:27 AM

Hi ,
Thank you very ,much for your email.
I have 2 Meraki at my New site which is site 2.
One Meraki is in production and using 10.35.X.X network
The second Meraki is just a Test Meraki and is not in production and using 10.21.X.X.
Both Meraki are connected to different ISP.
Please see attached drawing
Regards
Tazio
0 Helpful

Georg Pauwen
VIP
VIP
In response to Tazio4436

‎06-18-2019 11:54 AM

Hello,

 

just build a second VPN tunnel to the second Meraki. The 2911 can peer with multiple VPN endpoints...

0 Helpful

Tazio4436
Level 1
Level 1
In response to Georg Pauwen

‎06-18-2019 01:46 PM

Hi,

Will this be enough on Cisco 2911 to bring up the VPN.

I have just edited the exiting config and build a new VPN tunnel with the new Meraki but not sure if this is enough.

!

crypto keyring VPN-Meraki_TEST
pre-shared-key address 38.32.57.158 key AAA123
!
crypto isakmp profile VPN_565-Meraki_TEST
keyring VPN-Meraki_TEST
!
crypto map remap 1 ipsec-isakmp
set peer 38.32.57.158
set security-association lifetime seconds 28800
set transform-set VPN-MY-Meraki_TEST
set isakmp-profile VPN_565-Meraki_TEST
match address NETWORK_88-565_TEST
reverse-route
crypto map remap 10 ipsec-isakmp dynamic remap
!
ip access-list extended NETWORK_88-565_TEST
permit ip 10.88.0.0 0.0.0.255 10.21.80.0 0.0.7.255

 

Thanks

Tazio

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card