881 and NAT

buzzyng99 · ‎10-31-2012

I'm missing something simple I think.

Scenario:

an 881 connected to the internet and am NATing inside 192.168.9.x addresses

I have five VPN tunnels to various remote sites and everything is working well for outbound initiated sessions.

I have a new VPN tunnel that I need to connect and they are also using the 9.x addresses - I need to NAT to 10.1.9.x

I first tried to ip nat inside source static x.x.x..... route-map NAT_RE

have a routemap that uses an acl that permits traffic from 192.168.9.0 to 192.168.1 (the're NATd IP)

Appreciate the assistance.

Jennifer Halim · ‎10-31-2012

If both are using the same subnet, then both end needs to NAT it to a unique subnet. Otherwise, when you are trying to reach IP Address from the same subnet, it will just be routed locally (resolves with ARP) as they are in the same subnet, and the traffic won't even reach the router.

buzzyng99 · ‎11-01-2012

We have NATd both ends. I NAT to a 10.1.9.x and they NAT to a 192.168.1.x. We both use 192.168.3.x inside network.

What statements are required to NAT the traffic destined for the 192.168.1.x network since I'm missing something?

thanks

Jennifer Halim · ‎11-01-2012

access-list 150 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 160 permit ip 192.168.3.0 0.0.0.255 any

route-map nat-rm permit 10

match ip address 150

route-map nat-rm deny 20

match ip address 160

ip nat inside source static network 192.168.3.0 10.1.9.0 /24 route-map nat-rm

The crypto ACL should be:

access-list permit ip 10.1.9.0 0.0.0.255 192.168.1.0 0.0.0.255