Hi everybody,
I manage a DMVPN hub and Spoke (with EIGRP) network with around 1000 Spoke connected all around Europe.
I need to give a remote access to this network to one of our partners via a site to site VPN. Problem is that this partner is using a network IP range already used in my network.
I need to give access from 192.168.3.0/24 to 10.87.0.0/16 but 192.168.3.0 is already used in my network.
The site-to-site VPN is configured that way:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key […] address […]
crypto map VPN 10 ipsec-isakmp
description Open-Sky
set peer […]
set transform-set trans3
match address Partner_Name
ip access-list extended Partner_Name
permit ip 10.79.0.0 0.0.255.255 192.168.3.0 0.0.0.255
interface GigabitEthernet0/0/0
crypto map VPN
|
Then I configure NAT (I want to NAT 192.168.3.0 to 10.242.128.0)
ip access-list extended Open_Sky_NAT1
permit ip 192.168.3.0 0.0.0.255 10.79.0.0 0.0.255.255
ip nat pool Open_Sky_NAT1 10.242.128.1 10.242.128.254 netmask 255.255.255.0
ip nat outside source list Open_Sky_NAT1 pool Open_Sky_NAT1 add-route
|
I also tried this NAT with a route-map.
This is working perfectly but I need to advertise 10.242.128.0 network to my EIGRP network. So I added the following route:
ip route 10.242.128.0 255.255.255.0 Gig 0/0/0 |
When adding that route, EIGRP properly advertised all my other routers (I see the right route to my routers) but the NAT/VPN doesn't work anymore.
When this route is added, my packets are reaching the 10.79.0.0 network but doesn't go to the VPN. (no packets encrypted).
I assume they are redirected directly to my gig0/0/0 interface without being encrypted in my site-to-site VPN.
So... What am I doing wrong ? Any idea ?
Thanks in advance for your help.