Showing results for 
Search instead for 
Did you mean: 

Duplicate Lan - Vpn Cisco Routers - Need Nat for internet



Need some help - This is the Original setup:

Company A connects to Company B via VPN (configuration below)-- this has been working with no problem.

Company A uses the Cisco router to connect to the internet using Nat


Company A needs to connect via VPN to a new office with Duplicate Lan. Unfortunately I am not sure if appling a separate Nat will do the

trick like specified in this article because I need to use the NAT to access the internet.  I understand that Nat comes before crypto, so any suggestion is appreciated

MyCompanyA #sh run   (This is the router where I need to apply the nat to the Duplicate Lan)

Actual configuration:

crypto isakmp policy 22

encr 3des

authentication pre-share

group 2

crypto isakmp key test123 address

crypto ipsec transform-set company esp-3des esp-md5-hmac

crypto map 3desmap 21 ipsec-isakmp

set peer

set transform-set company

match address companyacl

ip nat pool Internet netmask

ip nat inside source list NAT pool Internet overload

ip route

ip access-list extended NAT

deny   ip

permit ip any

ip access-list extended companyacl

permit ip

So... in a nutshell, how can I Nat my traffic and keep the "other Nat" to browse the internet and not affect my actual Vpn tunnel.

I have access to the 3 Cisco Routers but I can't change my local networks.


3 Replies 3

Jouni Forss


Is the remote end managed by someone else?

Any idea what sort of device is used on the remote end with the overlapping network?

If you had all these configurations on a PIX or ASA I would say "Policy NAT" but unfortunately I am not that familiar with Router NAT configuration format. I might need to refresh my memory.

Easiest way for you would ofcourse be if the remote end has an actual firewall. Then they could do the NAT for the L2L VPN connection and you wouldnt have to make tricky NAT configurations on a router.

- Jouni

Hi thanks!  I didn't give the exact picture, my bad..... I have 2 Cisco routers connecting via VPN.  We are adding a third office.  Lets call it "router C".  Router C has a duplicate LAN.  

I have control over the 3 routers.

Eventually it will be a fully meshed vpn topology

Router A -- Connects to Router B and Router C

My issue is that Router A has a duplicate LAN configuration with Router C.

Ah you are using routers.

Was kinda hoping you were using PIX or ASA.

I cant give you an answer, atleast straight away. I'm not sure how the NAT would be handled on a router in this situation.

I will let you know if I manage to check it out. Or someone else can provide you with an example

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers