Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
752
Views
0
Helpful
4
Replies

Cisco IOS: VPN and NAT (and NAT by Tunnel Traffic)

Robert_Berger
Level 1
Level 1

‎03-16-2005 01:47 AM

Hi,

i need to make a side-to-side tunnel to two customer with sharing ip Ranges.

1. Tunnel match address

permit ip host 80.x.x.x 10.0.0.0 0.31.255.255

2. now i need alos one with match address

permit ip host 80.x.x.x 10.5.0.0 0.0.1.255

We have NAT outside and route-map and a NO-NAT List...

My understandig is now to take by the 2. tunnel other IP Adresse like 10.254.0.0/23 and NAT on the other side back to 10.5.0.0/23

I do not know how to config this Tunnel-Traffic with NAT on a side for the whole range sharing host by host. (10.254.0.1 = 10.5.0.1, 10.254.0.2 = 10.5.0.2, and so on)

Thank's for your help

Robert

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-16-2005 02:47 AM

Its very hard to understand what your asking. Perhaps you could post your config and a diagram of what you want to achieve.

0 Helpful

Robert_Berger
Level 1
Level 1
In response to Philip D'Ath

‎03-16-2005 04:45 AM

The configs are not ready yet.

Szenario:

we have a about 15 tunnel side-to-side zu customer's.

One of our customer has the ip-Net 10.0.0.0/255.224.0.0/bits 11

Now i have a new customer with the ip-Net 10.5.0.1/255.255.254.0/bits 23

The net of customer two is in the range of customer one. So i need a way to can make a side-to-side tunnel to customer two (connect for example 10.5.1.3)

what can i do.

i hope this explain more ?

Robert

0 Helpful

d-garnett
Level 3
Level 3
In response to Robert_Berger

‎03-16-2005 04:01 PM

You may want to take a look at this doc

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

i think this may help you

0 Helpful

Robert_Berger
Level 1
Level 1
In response to d-garnett

‎03-17-2005 12:38 AM

Thanks,

this seems to be a good way. But can i combine this with existing NAT. Maybe with route-map so that only special traffic to 10.254.0.0/23 take network nat.

existing:

ip nat inside source route-map NAT-RMAP interface Ethernet0/0 overload

ip nat inside source static tcp 192.168.100.7 25 85.x.x.x 25 extendable

.....

route-map NAT-RMAP permit 10

match ip address NO-NAT

ip access-list extended NO-NAT

deny ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255

....

permit ip 192.168.100.0 0.0.0.255 any

ip access-list extended VPN-match01

permit ip host 85.x.x.x 10.0.0.0 0.31.255.255

...

ip access-list extended VPN-match02

permit ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255

Also on the other Router side will be config like this. And only the incomming traffic from us need to be NATed back to 10.5.0.0/23

You have an idea?

Robert

0 Helpful
Customers Also Viewed These Support Documents