cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
239
Views
0
Helpful
1
Replies

VPN, NAT and EIGRP

Nicolas Marchal
Level 1
Level 1

Hi everybody,

I manage a DMVPN hub and Spoke (with EIGRP) network with around 1000 Spoke connected all around Europe. 

I need to give a remote access to this network to one of our partners via a site to site VPN. Problem is that this partner is using a network IP range already used in my network.

I need to give access from 192.168.3.0/24 to 10.87.0.0/16 but 192.168.3.0 is already used in my network.

The site-to-site VPN is configured that way: 

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 28800

 

crypto isakmp key […] address […]

 

crypto map VPN 10 ipsec-isakmp

description Open-Sky

set peer […]

set transform-set trans3

match address Partner_Name

ip access-list extended Partner_Name

permit ip 10.79.0.0 0.0.255.255 192.168.3.0 0.0.0.255

interface GigabitEthernet0/0/0

crypto map VPN

Then I configure NAT (I want to NAT 192.168.3.0 to 10.242.128.0)

ip access-list extended Open_Sky_NAT1

permit ip 192.168.3.0 0.0.0.255 10.79.0.0 0.0.255.255

 

ip nat pool Open_Sky_NAT1 10.242.128.1 10.242.128.254 netmask 255.255.255.0

 

ip nat outside source list Open_Sky_NAT1 pool Open_Sky_NAT1 add-route

I also tried this NAT with a route-map. 

This is working perfectly but I need to advertise 10.242.128.0 network to my EIGRP network. So I added the following route:

ip route 10.242.128.0 255.255.255.0 Gig 0/0/0

When adding that route, EIGRP properly advertised all my other routers (I see the right route to my routers) but the NAT/VPN doesn't work anymore.

When this route is added, my packets are reaching the 10.79.0.0 network but doesn't go to the VPN. (no packets encrypted).

I assume they are redirected directly to my gig0/0/0 interface without being encrypted in my site-to-site VPN.

So... What am I doing wrong ? Any idea ?

Thanks in advance for your help.

1 Reply 1

Nicolas Marchal
Level 1
Level 1

Ok.

I've found a solution to my issue. If you encounter the same.

I just replaced: ip route 10.242.128.0 255.255.255.0 Gig 0/0/0

with ip route 10.242.128.0 255.255.255.0 [GATEWAY_IP]

Still don't know why it was not working with the first command because I have another router (same model, same version) which is working with both configuration....

see ya.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: