03-03-2011 07:57 AM
Hi all
I need help
I want to make a site site vpn with nat
Site A = 10.0.0.0/24
Site B = 10.1.252.0/24
I would like when the site A goes to site B, either by the ip 172.26.0.0/24
here is my setup
access-list inside_nat_outbound extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key !!!!!!!!
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 2 match address inside_nat_outbound
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer x.x.x.x
nat (inside) 10 inside_nat_outbound
global (outside) 10 172.26.0.1-172.26.0.254
but don't work.
can you help me ?
Regards
Frederic
Solved! Go to Solution.
03-04-2011 08:09 AM
You need to make sure that there's no NAT 0 ACL statement because it will take precedence over the static NAT.
You don't need:
global (outside) 10 172.26.0.1-172.26.0.254
nat (inside) 10 access-list nattoyr
Because is going to be replaced with the static NAT.
In short just have:
access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0
static (inside,outside) 172.26.0.0 access-list nattoyr
crypto map outside_map 2 match address vpntoyr
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer "public ip"
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared-key *****
- Make sure there's no NAT 0 ACL including the above statements, and check if NAT is happening (sh xlate) and the
traffic is being encrypted (sh cry ips sa)
Federico.
03-03-2011 09:17 AM
Hi,
Let's say we're going to translate Site A to 172.26.0.0/24 and Site B to 172.26.1.0/24
Site A:
access-list NAT permit ip 10.0.0.0 255.255.255.0 172.26.1.0 255.255.255.0
static (in,out) 172.26.0.0 access-list NAT
access-list VPN permit ip 172.26.0.0 255.255.255.0 172.26.1.0 255.255.255.0
Site B:
access-list NAT permit ip 10.1.252.0 255.255.255.0 172.26.0.0 255.255.255.0
static (in,out) 172.26.1.0 access-list NAT
access-list VPN permit ip 172.26.1.0 255.255.255.0 172.26.0.0 255.255.255.0
The ACL VPN is the ACL applied to the crypto map.
Hope it helps.
Federico.
03-04-2011 12:53 AM
hi
thanks for your reply, i change nat and static but don't work.
so on site B, don't need nat (because is not my Firewall)
on site B vpn was build with 10.1.252.0/24 (real inside IP) to 172.26.0.0/24 (IP nat on site A)
conf on site A now
access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0
global (outside) 10 172.26.0.1-172.26.0.254
nat (inside) 10 access-list nattoyr
static (inside,outside) 172.26.0.0 access-list nattoyr
crypto map outside_map 2 match address vpntoyr
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer "public ip"
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared-key *****
you see, where i have an error ?
Regards
Frederic
03-04-2011 08:09 AM
You need to make sure that there's no NAT 0 ACL statement because it will take precedence over the static NAT.
You don't need:
global (outside) 10 172.26.0.1-172.26.0.254
nat (inside) 10 access-list nattoyr
Because is going to be replaced with the static NAT.
In short just have:
access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0
static (inside,outside) 172.26.0.0 access-list nattoyr
crypto map outside_map 2 match address vpntoyr
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer "public ip"
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared-key *****
- Make sure there's no NAT 0 ACL including the above statements, and check if NAT is happening (sh xlate) and the
traffic is being encrypted (sh cry ips sa)
Federico.
03-04-2011 08:27 AM
Hi federico
i delete nat and global
anf it's works.
many thanks for your help
regards
Frederic
03-04-2011 08:30 AM
Glad it worked :-)
Please consider rating the thread and mark it as answered if you find it helpful.
Cheers!
Federico.
08-16-2011 07:20 AM
I have tried the suggested above with no luck. My scenario may be a bit different so that is why it is not working. We have a site to site vpn that does not go across the public internet. It is basically going over a layer 2 vlan from site A to site B. The site to site tunnel is up and working. I can ping both ways to hosts. We need to do a NAT so site A sees site B as its network. There are only 2 hosts on site B side.
I removed the Nat 0 statement and tried the below static nat statement. I am unable to ping from site A to site B as (ex. pinging 10.207.1.232 from site A where the host at site B is 10.207.2.232).
Site A - 10.207.1.x
Site B - 10.207.2.x
Outside A - 192.168.207.1/30
Outside B - 192.168.207.2/30
access-list outside_1_cryptomap extended permit ip 10.207.2.0 255.255.255.0 10.207.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.207.2.0 255.255.255.0 10.207.1.0 255.255.255.0
nat static (inside, outside) 10.207.2.0 inside_nat0_outbound
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.207.1
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.207.1
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
Thanks for any insight!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide