Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7122
Views
0
Helpful
2
Replies

crypto map with NAT

carlosJlopez_2
Level 1
Level 1

‎03-08-2011 12:48 AM

Hi all,

I have this situation, I need to establsih an IPsec communication to another site but I need to identify all my packets sent, as a different networks as my local one. for example: my local network is 10.5.0.0/24 and I need to sent packets as 10.6.0.0/24. I suppose that I need to do Nat with this IPs. But in this router Nat is already applied to outbound traffic to Internet. How can I apply this NAT to cryptomap only?

My router is a cisco 877 with 12.4 IOS an this is the relevant configuration, crypto map vpn it´s used tosent traffic to second site.

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address  XX.XX.XX.XX

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

crypto map vpn 1 ipsec-isakmp
set peer XX.XX.XX.XX

set transform-set vpn
match address NET

interfaz  vlan1

ip address 10.5.0.1 255.255.255.0

ip nat inside

interface ATM0.1 point-to-point
ip address XX.YY.YY.YY 255.255.255.0
ip nat outside
 ip virtual-reassembly

crypto map vpn

ip nat inside source list 101 interface ATM0.1 overload
ip nat inside source static tcp zz.zz.zz.zz 25 interface ATM0.1 25

ip access-list extended NET

permit ip any 10.0.1.0 0.0.0.255
permit ip any 10.0.2.0 0.0.0.255

access-list 101 permit ip any any

thanks in advance

Labels:
0 Helpful
2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

‎03-11-2011 01:35 PM

Carlos,


Follow these two examples, disregard the overlaping networks scenario,  just follow the logical  to  accomplish your requirements.


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml

Your LAN IP subnet 10.5.0.0/24 to be NATed as 10.6.0.0/24   for the Ipsec tunnel , when you define interestng traffic in your acl that will be the acl that  will be applied to the crypto map thus applied to the Ipsec tunnel , the other acls will NOT  be applied there.


ip nat inside source static network 10.5.0.0 10.6.0.0 /24 no-alias


access-list 100 permit ip 10.6.0.0 0.0.0.255

crypto map vpn 1 ipsec-isakmp
set peer XX.XX.XX.XX

set transform-set vpn
match address 100 

the far end router/firewall  will need the to allow your 10.6.0.0/24 NATed  network  in their interresting  traffic acl.

Regards

Jorge Rodriguez
0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee

‎03-11-2011 02:43 PM

Hello Carlos,


First of all, you might wanna change access-list 101 as the permit ip any any will block router services such as ssh, sing ACL for NAT with permit ip any any as you can get unpredictable results. Now, as per your situation we need Policy NAT so we'll do the translation just when going to a specific destination. what I'm saying is this:

access-list 133 permit ip 10.5.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 133 permit ip 10.5.0.0 0.0.0.255 10.0.2.0 0.0.0.255

route-map static-vpn
  match ip address 133

ip nat pool NAT-POOL 10.6.0.1 10.6.0.254 netmask 255.255.255.0 type match-host

ip nat inside source route-map static-vpn pool NAT-POOL reversible

no ip access-list extended NET

ip access-list extended NET

permit ip 10.6.0.0 0.0.0.255 10.0.1.0 0.0.0.255

permit ip 10.6.0.0 0.0.0.255 10.0.2.0 0.0.0.255

crypto map vpn 1 ipsec-isakmp

match address NET


Of course at the other site they must mirror the interesting traffic.

Hope this helps.

Tavo

0 Helpful
Customers Also Viewed These Support Documents