12-12-2008 09:45 AM - edited 02-21-2020 04:04 PM
I am having with an issue with an IOS IPSEC VPN configuration.
/*
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TEST123 address 205.xx.1.4
!
!
crypto ipsec transform-set CHAIN esp-3des esp-sha-hmac
!
!
crypto map CRYPTO-MAP 10 ipsec-isakmp
set peer 205.xx.1.4
set transform-set CHAIN
match address 115
!
interface FastEthernet0/0
description TO EDGE ROUTER
ip address 208.xx.xx.33 255.255.255.252
ip nat outside
crypto map CRYPTO-MAP
!
interface FastEthernet0/1
description INTERNAL NETWORK
ip address 10.15.2.4 255.255.255.0
ip nat inside
access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution I am looking for:
When a session is initiated from the âInternal Networkâ to the âIPSEC Remote - 172.xx.1.0/30â network I want the â10.15.0.0/16â address scheme to translate to the NAT addresses â192.xx.xx.128/30â before routing over the IPSEC VPN Tunnel.
Please see "ATTACHED DIAGRAM" for more information.
Any help is greatly appreciated!
Thanks,
Clint Simmons
Network Engineer
Solved! Go to Solution.
12-12-2008 10:39 AM
You can try the following NAT+route map approach(2nd method in this link)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thanks,
Raja K
12-12-2008 12:48 PM
Probably you need the following:
ip access-list extended NAT
permit ip 10.15.0.0 255.255.0.0 172.xx.1.0
255.255.255.252
route-map NAT_TO_172.xx.1.0 permit 10
match address NAT
ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130
12-12-2008 10:39 AM
You can try the following NAT+route map approach(2nd method in this link)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thanks,
Raja K
12-12-2008 12:48 PM
Probably you need the following:
ip access-list extended NAT
permit ip 10.15.0.0 255.255.0.0 172.xx.1.0
255.255.255.252
route-map NAT_TO_172.xx.1.0 permit 10
match address NAT
ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130
12-12-2008 01:06 PM
Thanks for the response. I did try this approach before. However I will clear the NAT configuration and try again...
/*
ip nat pool CRYPTO-POOL 192.xx.xx.129 192.xx.xx.130 prefix-length 30
ip nat inside source route-map CRYPTO-MAP pool CRYPTO-POOL overload
access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.xx.0 0.0.0.3
access-list 186 permit ip 10.15.2.0 0.0.0.255 172.xx.xx.0 0.0.0.3
route-map CRYPTO-MAP permit 10
match ip address 186
*/
I will respond with the new results later.
Thanks,
Clint
12-18-2008 10:15 AM
Looks like the problem is resolved per the instructions above.
Thanks for all the help!
Clint
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide