03-08-2011 12:48 AM
Hi all,
I have this situation, I need to establsih an IPsec communication to another site but I need to identify all my packets sent, as a different networks as my local one. for example: my local network is 10.5.0.0/24 and I need to sent packets as 10.6.0.0/24. I suppose that I need to do Nat with this IPs. But in this router Nat is already applied to outbound traffic to Internet. How can I apply this NAT to cryptomap only?
My router is a cisco 877 with 12.4 IOS an this is the relevant configuration, crypto map vpn it´s used tosent traffic to second site.
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address XX.XX.XX.XX
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto map vpn 1 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set vpn
match address NET
interfaz vlan1
ip address 10.5.0.1 255.255.255.0
ip nat inside
interface ATM0.1 point-to-point
ip address XX.YY.YY.YY 255.255.255.0
ip nat outside
ip virtual-reassembly
crypto map vpn
ip nat inside source list 101 interface ATM0.1 overload
ip nat inside source static tcp zz.zz.zz.zz 25 interface ATM0.1 25
ip access-list extended NET
permit ip any 10.0.1.0 0.0.0.255
permit ip any 10.0.2.0 0.0.0.255
access-list 101 permit ip any any
thanks in advance
03-11-2011 01:35 PM
Carlos,
Follow these two examples, disregard the overlaping networks scenario, just follow the logical to accomplish your requirements.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a0ece4.shtml
Your LAN IP subnet 10.5.0.0/24 to be NATed as 10.6.0.0/24 for the Ipsec tunnel , when you define interestng traffic in your acl that will be the acl that will be applied to the crypto map thus applied to the Ipsec tunnel , the other acls will NOT be applied there.
ip nat inside source static network 10.5.0.0 10.6.0.0 /24 no-alias
access-list 100 permit ip 10.6.0.0 0.0.0.255
crypto map vpn 1 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set vpn
match address 100
the far end router/firewall will need the to allow your 10.6.0.0/24 NATed network in their interresting traffic acl.
Regards
03-11-2011 02:43 PM
Hello Carlos,
First of all, you might wanna change access-list 101 as the permit ip any any will block router services such as ssh, sing ACL for NAT with permit ip any any as you can get unpredictable results. Now, as per your situation we need Policy NAT so we'll do the translation just when going to a specific destination. what I'm saying is this:
access-list 133 permit ip 10.5.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 133 permit ip 10.5.0.0 0.0.0.255 10.0.2.0 0.0.0.255
route-map static-vpn
match ip address 133
ip nat pool NAT-POOL 10.6.0.1 10.6.0.254 netmask 255.255.255.0 type match-host
ip nat inside source route-map static-vpn pool NAT-POOL reversible
no ip access-list extended NET
ip access-list extended NET
permit ip 10.6.0.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.6.0.0 0.0.0.255 10.0.2.0 0.0.0.255
crypto map vpn 1 ipsec-isakmp
match address NET
Of course at the other site they must mirror the interesting traffic.
Hope this helps.
Tavo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide