cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3372
Views
0
Helpful
5
Replies
alex.brown
Beginner

Can Easy VPN Clients Be NAT'ed to Access Subnets Behind Easy VPN Server?

I have some VPN clients that need to access a device on an internal subnet that is not directly connected to the 1801 router acting as the Easy VPN Server.  The router has an internal IP address of 10.20.1.1.  The VPN clients are being assigned addresses from the 10.1.1.0/24 subnet.  The device has an IP of 10.30.1.30 and it is behind a gateway that has an IP of 10.20.1.2.

I cannot modify the routing table of the gateway that has the IP of 10.20.1.2 so that it knows to route 10.1.1.0/24 traffic to 10.20.1.1 because it is not under my control.

Is it possible for me to NAT the VPN client traffic behind the VLAN 1 interface so the device sees the VPN client traffic coming from 10.20.1.1 and knows how to get to that?

I know that assigning the VPN clients IP address from the 10.20.1.0 subnet would work but that subnet is not under my control and that might cause some conflicts.

Thanks for any help you can give.

5 REPLIES 5
praprama
Cisco Employee

Hey,

You should be able to do that. You basically have to overload the PVN client pool to the inside ip address of 10.20.1.1. Assuming the interface the VPN clients connect to is fa0/0 and the interface fa0/1 has ip address of 10.20.1.1. Also, i am guessing you already have ip nat inside on fa0/1 and ip nat outside on fa0/0.

So you will need the following:

ip access-list extended VPN

permit ip 10.1.1.0 0.0.0.255 host 10.30.1.30

ip nat outside source list VPN interface fa0/1 overload.

Hope this helps. Let me know how it goes!

Thanks and Regards,

Prapanch

Prapanch,

Thank you for your response.  Basically, all of your assumptions are correct.  The external interface is FastEthernet0 and the internal interface is VLAN1.  I'm not able to type that command on the 1801 router.  I'm only able to type the following:

          ip nat outside source list VPN pool Test

I'm not even given the opiton to use the "interface" option:

          cisco-1801(config)#ip nat outside source list VPN ?
             pool  Name pool of local addresses

          cisco-1801(config)#

I tried using the following to make it work but it didn't work:

          ip nat pool Test 10.20.1.1 10.20.1.1 netmask 255.255.255.0
          ip nat outside source list 108 pool Test

Do you have any other ideas or see anything I'm missing?

Thanks again.

Hi Alex,

I would have thought of the same thing. Is it working with that config?

Thanks and Regatrds,

Prapanch

No.  It's not working with that config.

What does your "show access-list 108" look like? Try adding the "overload" keyword at the end and see if it helps.

ip nat outside source list 108 pool Test overload

Also, the below link seems to suggest an add-route keyword at the end of the above command which is necessary for this to work:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

Regards,

Prapanch

Create
Recognize Your Peers
Content for Community-Ad