07-12-2007 01:21 PM
Hi,
I have the following document about building a LAN2LAN VPN including NAT.
There?s no problem doing this with the concentrator. Now I have to configure it on IOS Router, and therefor I can?t find any Information. I have to NAT my private network to one official IP which have to be tunneled as my local LAN.
Do anyone have a documentation about this szenario? I can?t find any on the CCO.
Thanks for support
Solved! Go to Solution.
07-12-2007 10:45 PM
Hello.
The concentrators are very friendly units (IMHO) for doing VPN's and VPN's with NAT.
You build an acl to defined the traffic over the vpn (110) based on being nat'd
You then create an acl to define whats NAT'd (111) and create a NAT statement accordingly
Below is a sample configuration.
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key vpnsrock!! address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 110
!
interface Fa0
ip nat outside
crypto map VPN
!
!
interface fa1
ip nat inside
!
ip nat inside source list 111 interface fa0 overload
ip route 0.0.0.0 0.0.0.0 y.y.y.y
access-list 110 permit ip fa0-ip wildcard-mask remote-network wildcard-mask
access-list 111 permit ip local-network wildcard-mask remote-network wildcard-mask
!
07-12-2007 10:45 PM
Hello.
The concentrators are very friendly units (IMHO) for doing VPN's and VPN's with NAT.
You build an acl to defined the traffic over the vpn (110) based on being nat'd
You then create an acl to define whats NAT'd (111) and create a NAT statement accordingly
Below is a sample configuration.
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key vpnsrock!! address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 110
!
interface Fa0
ip nat outside
crypto map VPN
!
!
interface fa1
ip nat inside
!
ip nat inside source list 111 interface fa0 overload
ip route 0.0.0.0 0.0.0.0 y.y.y.y
access-list 110 permit ip fa0-ip wildcard-mask remote-network wildcard-mask
access-list 111 permit ip local-network wildcard-mask remote-network wildcard-mask
!
07-23-2007 10:56 PM
Thanks for the suggest,
the solution is working fine
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide