04-09-2010 04:18 PM - edited 02-21-2020 04:35 PM
I have the ROUER C2811-NAT as follows:
C2811-NAT:
NAT for Network RED-LAN 192.168.8.0 / 24
VPN Server for any.
VPN Client connects to the LAN by VPN, and connect to internal computers (LAN) fine., In the NAT-R I have the following static route:
ip route 192.168.222.0 255.255.255.240. 8.8.8.9, to reach the RED CUSTOMER # 2.
In the NAT-R router, the network VPN 192.168.222.0 / 29 do NAT for have access to Internet.
My query is, as I do for the network 192.168.222.0 / 29 do nat in router C2811? .. because once connected to the VPN, my pc is accessible from all network clients CUSTOMER # 2.
attach configuration.
04-09-2010 08:02 PM
No, it will not be NATed because the outside interface that you use to terminate the VPN does not have "ip nat inside" statement. It is an "ip nat outside". Only traffic that is inbound towards interface that has "ip nat inside" will be NATed out. Traffic from customer# 2 will be routed towards NAT-R then C2811-NAT router, and it will be encrypted and route back towards NAT-R and out to the Internet.
Hope that helps.
04-10-2010 06:52 AM
thank for reply,
As I do for clients that connect to the VPN router C2811-NAT, they go through this router to internet and always have access to internal resources?
I do not want VPN clients do NAT on the router NAT-R. but do so in the C2811-NAT.
04-10-2010 03:06 PM
Please disregard the previous message.
I just have a look at the requirement again, and now I am confused on what you are trying to achieve.
OK, let's go back to requirement/assumption:
1) User connects to VPN that terminates on C2811-NAT router, and assigned IP from pool: 192.168.222.0/28.
2) Once connected, they need to be able to access RED LAN, Customer# 2 LAN and the Internet. Is this what you are trying to achieve?
3) On your first post, you said: " In the NAT-R I have the following static route: ip route 192.168.222.0 255.255.255.240. 8.8.8.9, to reach the RED CUSTOMER # 2." ----> I don't see this statement on your config attached, and it doesn't sound correct.
4) What is Customer# 2 LAN subnet?
04-11-2010 03:56 PM
1) User connects to VPN that terminates on C2811-NAT router, and assigned IP from pool: 192.168.222.0/28. (Correct)
2) Once connected, they need to be able to access RED LAN, Customer# 2 LAN and the Internet. Is this what you are trying to achieve?
** Once connected to VPN, they can get to the RED-LAN, but unable to ping network CUSTOMER # 2, to enter the network CUSTOMER #, I had to set the route static the private network (192,168 .222.0 / 28) in the router NAT-R:ip route 192.168.222.0 255.255.255.240 8.8.8.9!, , so, it gains access to the network CUSTOMER # 2.
3) On your first post, you said: " In the NAT-R I have the following static route: ip route 192.168.222.0 255.255.255.240. 8.8.8.9, to reach the RED CUSTOMER # 2." ----> I don't see this statement on your config attached, and it doesn't sound correct.
*** Sorry. I did not put the static route in the configuration, and corrected the file with the path included.
4) What is Customer# 2 LAN subnet?
*** 10.10.10.1 255.255.255.0
*** Currently the network 192.168.222.0 / 28 does nat on the router NAT-R to have Internet, but I want the NAT do so in the C2811-NAT..
sorry for my English ..
04-11-2010 05:48 PM
With the current configuration, when you VPN in, you should be able to ping customer#2 network (10.10.10.0/24). As far as the configuration is concern, it looks correct. No changes need to be done anymore.
When you VPN in, can you ping 10.10.10.1? If you can, then that means as far as vpn and NATing is concern, it's already correct.
04-12-2010 08:21 AM
Thanks for your coolaboracion in this case, I made another scenario where I simplify the situation a little more.
The Cilento "X" is connected to the VPN without problem in C2811-NAT router, and can give ping all computers on the Internal Network (192.168.8.0 / 24), but no have Internet!,
The ACL 110 excludes the VPN (192.168.222.0) NAT process to gain access to the internal network (192.168.8.0 / 24)
ip nat inside source list 110 interface FastEthernet0/1 overload
access-list 110 deny ip 192.168.222.0 0.0.0.15 Any
access-list 110 permit ip 192.168.8.0 0.0.0.255 Any
What would be the proper configuration for the network 192.168.222.0 /28 may have access to the network 192.168.8.0 /24 and also do NAT in the C2811-NAT to have Internet
*** I do not want to use split tunnel, the internet should be through The C2811-NAT router
attac:
04-12-2010 11:34 PM
OK, so you would like the vpn to get access to customer# 2 and also internet access.
I would suggest that you configure the NAT on NAT-R router as follows:
ip access-list extended 150
1 deny ip 192.168.222.0 0.0.0.15 10.10.10.0 0.0.0.255
interface FastEthernet1/0
ip nat outside
04-13-2010 08:33 AM
Thank you again for giving your time in this case,
What would the proper configuration for the second case that I presented? where there is no customer network # 2,
Only the C2811-NAT Router, RED LAN 192.168.8.0/24 and clients that connect to VPN have internet Through the router C2811-NAT,,?
04-15-2010 07:46 AM
Hello, thank for you help!.
Problem solved thanks to this link I found.
thank you again for your support ..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide