Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1427
Views
10
Helpful
5
Replies

881 Router - Site to Site VPN - Need to NAT traffic

davidsarel
Level 1
Level 1

‎10-09-2012 02:23 PM

I have an 881 ISR router in which I need to configure a site to site ipsec vpn with a vendor.  The vendor will not accept traffic from RFC 1918 addresses (private addresses), so the outgoing vpn traffic needs to be natted to a public IP.  I'm not sure how to get the vpn to work with NAT. Could anyone help point me in the right direction in accomplishing this?

Is this something that I could do using the Cisco Configuration Professional app, or should I forget that and do it strictly from the cli?

Thanks for any help.

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-09-2012 07:32 PM

Would be much easier to do it from CLI.

I assume that the traffic will only be initiated from your end towards the vendor? Will the vendor ever initiate any traffic towards your end?

What public IP Address do you want to use for this vendor? Do you want to use a specific public IP or you don't mind just using the existing translation that you have. And lastly, what is the ip address or ip subnet that you need to access at the vendor end?

Pls kindly share your config as well with the answer to the above and i can help with the actual configuration.

0 Helpful

davidsarel
Level 1
Level 1
In response to Jennifer Halim

‎10-09-2012 07:53 PM

My understanding is that traffic will only be initiated from our end.

I need to use a specific public IP for the vpn.  This also happens to currently be the existing translation, but that may change in the near future.

I actually wiped the config because I felt I had messed things up a bit and wanted to start again from scratch.  I had been configuring the vpn with CCP, but it seems like that's not going to work for this situation.

Thanks for your response.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to davidsarel

‎10-09-2012 09:44 PM

OK, that's a lot simpler then if traffic only needs to be initiated from your end and you already have existing translation with the same public IP.

In that case, all you need to do is making sure the crypto ACL source IP address is your NATed public IP address with the destination of the vendor's subnet.

davidsarel
Level 1
Level 1
In response to Jennifer Halim

‎10-10-2012 05:16 AM

Ok, I see.

What if the public IP that needs to be used is not part of the existing translations?  It's possible that the IP that is currently used will be designated only for vpn traffic, and another IP will be assigned for translations for normal traffic.

Also, what would need to be changed if I wanted two way vpn connectivity?

Thanks again.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to davidsarel

‎10-10-2012 05:19 AM

In that case, just configure an ACL for the traffic with source of your network and destination towards the vendor subnet, and NAT it to a different public IP.

The crypto ACL will have source of that public IP and destination of your vendor subnet.

Customers Also Viewed These Support Documents