Hello All, I need to connect a Cisco 900 series router to a vendor and the vendor has asked that I NAT my internal hosts that need to access the L2L VPN to an external address instead of using the real IP's.
The reason is that my internal hosts are all 192.168.200.0 /24 and of course they have lots of VPN's that terminate to them.
I was going to try and NAT my internal hosts to my outside interface and use that IP address of that interface in the tunnel.
Do I just take my NoNAT ACL out and add my ACL for my interesting traffic as my outside interface of my ISR?
Below is what I was thinking....am I correct?
Local IP address - 192.168.200.0 /24
Remote (Vendor) IP address - 188.100.0.0 /24
Local outside interface on my ISR - 64.27.5.1
Remote (Vendor) Peer IP address - 188.150.10.10
crypto isakmp policy 30
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 40
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxx address XXXXXXXXXXX
crypto map Vendor 1 ipsec-isakmp
description Tunnel to Vendor
set peer 188.150.10.10
set transform-set Vendor
match address 102
access-list 102 remark Interesting Traffic to Vendor
access-list 102 permit ip 64.27.5.1 0.0.0.0 188.100.0.0 0.0.0.255
access-list 103 remark Traffic to NAT outbound
access-list 103 permit ip 192.168.200.0 0.0.0.255 any
route-map NAT permit 1
match ip address 103
ip nat inside source route-map NAT interface GigabitEthernet8 overload
Thanks in advanced....
Dan