03-03-2011 07:57 AM
Hi all
I need help
I want to make a site site vpn with nat
Site A = 10.0.0.0/24
Site B = 10.1.252.0/24
I would like when the site A goes to site B, either by the ip 172.26.0.0/24
here is my setup
access-list inside_nat_outbound extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key !!!!!!!!
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 2 match address inside_nat_outbound
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer x.x.x.x
nat (inside) 10 inside_nat_outbound
global (outside) 10 172.26.0.1-172.26.0.254
but don't work.
can you help me ?
Regards
Frederic
Solved! Go to Solution.
03-04-2011 08:09 AM
You need to make sure that there's no NAT 0 ACL statement because it will take precedence over the static NAT.
You don't need:
global (outside) 10 172.26.0.1-172.26.0.254
nat (inside) 10 access-list nattoyr
Because is going to be replaced with the static NAT.
In short just have:
access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0
static (inside,outside) 172.26.0.0 access-list nattoyr
crypto map outside_map 2 match address vpntoyr
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer "public ip"
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared-key *****
- Make sure there's no NAT 0 ACL including the above statements, and check if NAT is happening (sh xlate) and the
traffic is being encrypted (sh cry ips sa)
Federico.
03-03-2011 09:17 AM
Hi,
Let's say we're going to translate Site A to 172.26.0.0/24 and Site B to 172.26.1.0/24
Site A:
access-list NAT permit ip 10.0.0.0 255.255.255.0 172.26.1.0 255.255.255.0
static (in,out) 172.26.0.0 access-list NAT
access-list VPN permit ip 172.26.0.0 255.255.255.0 172.26.1.0 255.255.255.0
Site B:
access-list NAT permit ip 10.1.252.0 255.255.255.0 172.26.0.0 255.255.255.0
static (in,out) 172.26.1.0 access-list NAT
access-list VPN permit ip 172.26.1.0 255.255.255.0 172.26.0.0 255.255.255.0
The ACL VPN is the ACL applied to the crypto map.
Hope it helps.
Federico.
03-04-2011 12:53 AM
hi
thanks for your reply, i change nat and static but don't work.
so on site B, don't need nat (because is not my Firewall)
on site B vpn was build with 10.1.252.0/24 (real inside IP) to 172.26.0.0/24 (IP nat on site A)
conf on site A now
access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0
global (outside) 10 172.26.0.1-172.26.0.254
nat (inside) 10 access-list nattoyr
static (inside,outside) 172.26.0.0 access-list nattoyr
crypto map outside_map 2 match address vpntoyr
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer "public ip"
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared-key *****
you see, where i have an error ?
Regards
Frederic
03-04-2011 08:09 AM
You need to make sure that there's no NAT 0 ACL statement because it will take precedence over the static NAT.
You don't need:
global (outside) 10 172.26.0.1-172.26.0.254
nat (inside) 10 access-list nattoyr
Because is going to be replaced with the static NAT.
In short just have:
access-list nattoyr extended permit ip 10.0.0.0 255.255.255.0 10.1.252.0 255.255.255.0
access-list vpntoyr extended permit ip 172.26.0.0 255.255.255.0 10.1.252.0 255.255.255.0
static (inside,outside) 172.26.0.0 access-list nattoyr
crypto map outside_map 2 match address vpntoyr
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer "public ip"
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
tunnel-group "public ip" type ipsec-l2l
tunnel-group "public ip" ipsec-attributes
pre-shared-key *****
- Make sure there's no NAT 0 ACL including the above statements, and check if NAT is happening (sh xlate) and the
traffic is being encrypted (sh cry ips sa)
Federico.
03-04-2011 08:27 AM
Hi federico
i delete nat and global
anf it's works.
many thanks for your help
regards
Frederic
03-04-2011 08:30 AM
Glad it worked :-)
Please consider rating the thread and mark it as answered if you find it helpful.
Cheers!
Federico.
08-16-2011 07:20 AM
I have tried the suggested above with no luck. My scenario may be a bit different so that is why it is not working. We have a site to site vpn that does not go across the public internet. It is basically going over a layer 2 vlan from site A to site B. The site to site tunnel is up and working. I can ping both ways to hosts. We need to do a NAT so site A sees site B as its network. There are only 2 hosts on site B side.
I removed the Nat 0 statement and tried the below static nat statement. I am unable to ping from site A to site B as (ex. pinging 10.207.1.232 from site A where the host at site B is 10.207.2.232).
Site A - 10.207.1.x
Site B - 10.207.2.x
Outside A - 192.168.207.1/30
Outside B - 192.168.207.2/30
access-list outside_1_cryptomap extended permit ip 10.207.2.0 255.255.255.0 10.207.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.207.2.0 255.255.255.0 10.207.1.0 255.255.255.0
nat static (inside, outside) 10.207.2.0 inside_nat0_outbound
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.207.1
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.207.1
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
Thanks for any insight!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: