Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
0
Helpful
3
Replies

Duplicate Lan - Vpn Cisco Routers - Need Nat for internet

Ranbeckycr_2
Level 1
Level 1

‎04-17-2012 10:29 PM

Experts,

Need some help - This is the Original setup:

Company A connects to Company B via VPN (configuration below)-- this has been working with no problem.

Company A uses the Cisco router to connect to the internet using Nat


Challenge:


Company A needs to connect via VPN to a new office with Duplicate Lan. Unfortunately I am not sure if appling a separate Nat will do the

trick like specified in this article because I need to use the NAT to access the internet.  I understand that Nat comes before crypto, so any suggestion is appreciated


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

MyCompanyA #sh run   (This is the router where I need to apply the nat to the Duplicate Lan)

Actual configuration:


crypto isakmp policy 22

encr 3des

authentication pre-share

group 2


crypto isakmp key test123 address 222.25.161.108


crypto ipsec transform-set company esp-3des esp-md5-hmac


crypto map 3desmap 21 ipsec-isakmp

set peer 222.25.161.108

set transform-set company

match address companyacl


ip nat pool Internet 222.25.164.38 222.25.164.38 netmask 255.255.255.252

ip nat inside source list NAT pool Internet overload

ip route 0.0.0.0 0.0.0.0 222.25.164.33


ip access-list extended NAT

deny   ip 10.168.83.0 0.0.0.255 10.168.70.0 0.0.0.255

permit ip 10.168.83.0 0.0.0.255 any


ip access-list extended companyacl

permit ip 10.168.83.0 0.0.0.255 10.168.70.0 0.0.0.255


So... in a nutshell, how can I Nat my traffic and keep the "other Nat" to browse the internet and not affect my actual Vpn tunnel.

I have access to the 3 Cisco Routers but I can't change my local networks.

Thanks!

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎04-17-2012 11:36 PM

Hi,

Is the remote end managed by someone else?

Any idea what sort of device is used on the remote end with the overlapping network?

If you had all these configurations on a PIX or ASA I would say "Policy NAT" but unfortunately I am not that familiar with Router NAT configuration format. I might need to refresh my memory.

Easiest way for you would ofcourse be if the remote end has an actual firewall. Then they could do the NAT for the L2L VPN connection and you wouldnt have to make tricky NAT configurations on a router.

- Jouni

0 Helpful

Ranbeckycr_2
Level 1
Level 1
In response to Jouni Forss

‎04-18-2012 05:57 AM

Hi thanks!  I didn't give the exact picture, my bad..... I have 2 Cisco routers connecting via VPN.  We are adding a third office.  Lets call it "router C".  Router C has a duplicate LAN.  

I have control over the 3 routers.

Eventually it will be a fully meshed vpn topology

Router A -- Connects to Router B and Router C

My issue is that Router A has a duplicate LAN configuration with Router C.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Ranbeckycr_2

‎04-18-2012 09:57 AM

Ah you are using routers.

Was kinda hoping you were using PIX or ASA.

I cant give you an answer, atleast straight away. I'm not sure how the NAT would be handled on a router in this situation.

I will let you know if I manage to check it out. Or someone else can provide you with an example

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents