06-08-2017 02:15 PM - edited 03-08-2019 10:54 AM
Hi folks,
I need to do a DNAT and then send traffic to a Site-to-Site VPN IPSEC.
The VPN tunnel is Okay (Phase one and two), but now i need to do the DNAT on router "Router-001". How can I do it?
Attached document
VPN configuration:
crypto isakmp key *********** (IP Peer Client)
crypto map cedro-crypto 250 ipsec-isakmp
description VPN RENA
set peer (IP Peer Client)
set security-association lifetime seconds 86400
set transform-set 3des-sha
match address vpn_renascenca_bkp
crypto isakmp policy 260
encr 3des
authentication pre-share
group 2
Extended IP access list vpn_renascenca_bkp
10 permit ip 10.254.9.0 0.0.0.255 10.3.4.32 0.0.0.31
INTERNAL ROUTER INTERFACE:
interface FastEthernet0/0.200
description LINK REDE CIRCUITOS (VLAN 200)
encapsulation dot1Q 200
ip address 10.154.4.77 255.255.255.192
ip accounting output-packets
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no cdp enable
end
EXTERNAL ROUTER INTERFACE:
interface FastEthernet0/1
ip address 200.200.19.5 255.255.255.128
speed 100
full-duplex
no cdp enable
crypto map cedro-crypto
end
Solved! Go to Solution.
06-08-2017 05:07 PM
Hi
To achieve this task (if I understood correctly), you'll need to use ip nat outside command.
Let's recap:
- real IP of your server: 10.3.4.33
- local IP of your server: 192.168.231.1
we assume that route isn't existing for your local server IP.
The command would be:
ip nat outside source static 10.3.4.33 192.168.231.1 add-route
Then from internal, if you reach your local IP 192.168.231.1, the traffic will be redirected to 10.3.4.33
I assume that your internal interface and external have already the command ip nat inside and outside.
Some outputs I already past on this forum for same question.
- my real srv ip: 8.8.8.8
- my local srv ip: 1.1.1.1
I've the design below:
R1 --- R2 --- R3
On R2 inside:
interface g0/0
ip nat inside
On R2 outside:
interface g0/1
ip nat outside
Globally:
ip nat outside source static 8.8.8.8 1.1.1.1 add-route
Then I ping from R1 to 1.1.1.1:
R1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
And debug ip icmp on R3:
*Jun 8 23:59:23.062: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.063: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.065: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.066: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.071: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
Thanks
PS: Please don't forget to rate and mark as correct answer.
06-08-2017 05:07 PM
Hi
To achieve this task (if I understood correctly), you'll need to use ip nat outside command.
Let's recap:
- real IP of your server: 10.3.4.33
- local IP of your server: 192.168.231.1
we assume that route isn't existing for your local server IP.
The command would be:
ip nat outside source static 10.3.4.33 192.168.231.1 add-route
Then from internal, if you reach your local IP 192.168.231.1, the traffic will be redirected to 10.3.4.33
I assume that your internal interface and external have already the command ip nat inside and outside.
Some outputs I already past on this forum for same question.
- my real srv ip: 8.8.8.8
- my local srv ip: 1.1.1.1
I've the design below:
R1 --- R2 --- R3
On R2 inside:
interface g0/0
ip nat inside
On R2 outside:
interface g0/1
ip nat outside
Globally:
ip nat outside source static 8.8.8.8 1.1.1.1 add-route
Then I ping from R1 to 1.1.1.1:
R1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
And debug ip icmp on R3:
*Jun 8 23:59:23.062: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.063: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.065: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.066: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
*Jun 8 23:59:23.071: ICMP: echo reply sent, src 8.8.8.8, dst 192.168.0.2, topology BASE, dscp 0 topoid 0
Thanks
PS: Please don't forget to rate and mark as correct answer.
06-09-2017 08:08 AM
thank you so much...it works!
06-09-2017 08:13 AM
you're very welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide