How to configure NAT/PAT in VPN tunnel on Cisco router

Suresh1986 · ‎01-15-2013

Hi everyone,

I need step by step instructions on how to configure NAT/PAT in a VPN tunnel on a Cisco router. We have to NAT/PAT our local traffic in the VPN because the remote site is using the same IP range and neither of us can change it. The VPN will be through the Internet. I've been searching the internet and the support community and haven't found a complete set of instructions. I've tested it out in a lab but just can't get it to work.

Any help would be much appreciated. Thanks in advance.

Andrew Phirsov · ‎01-15-2013

Site A:

!

Loopback interface, representing subnet fro one thite (overlapping with other)

!

interface Loopback1

ip address 12.12.12.1 255.255.255.0

ip nat inside

!

interface FastEthernet 0/0

ip nat outside

!

Here we translate this overlapping subnet to be seen as 10.10.10.0/24 on the other site.

The other site will have static route to this subnet.

!

ip nat inside source static network 12.12.12.0 10.10.10.0 /24

!

! Static route to peer’s post-NAT network. We did the same config as above on the other site and tralslated over overlapping subnet to 20.20.20.0/24 there.

!

ip route 20.20.20.0 255.255.255.0 136.1.121.12

!

! Access-List to classify VPN traffic (here we use post-NATed IPs)

!

no ip access-list extended LO1_TO_LO2

ip access-list extended LO1_TO_LO2

permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

Same config on site B

Site B:

!

! NAT Configuration

!

interface Loopback1

ip address 12.12.12.2 255.255.255.0

ip nat inside

!

interface FastEthernet 0/0

ip nat outside

!

ip nat inside source static network 12.12.12.0 20.20.20.0 /24

!

! Static route to peer’s post-NAT network

!

ip route 10.10.10.0 255.255.255.0 136.1.122.12

!

no ip access-list extended LO2_TO_LO1

ip access-list extended LO2_TO_LO1

permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255

Suresh1986 · ‎01-16-2013

Thank you for your response. Will this configuration work while also allowing users on site A to have Internet access? I don't have control over site B. The admin there just sent me the VPN config on his side and told me to nat my traffic through the VPN. This is the config on my side.

My network is 192.168.5.0/24

Remote networks are 10.30.21.0/24 and 10.30.26.0/24

I wil try the config you sent met in a lab and let you know, but kan you please check my config and tel me if this should work. I tried the config below in a lab environment. The remote site just had a normal VPN config. When I issued the show crypto session command, the status was Up-Active but I couldn't ping from my network to the remote network.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 123456 address 2.2.2.2

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto map CMAP 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set TS

match address VPN-TRAFFIC

!

interface GigabitEthernet0

description WAN

ip address 1.1.1.1 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map CMAP

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.5.10 255.255.240.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool vpn-nat_pool 192.168.160.1 192.168.160.254 netmask 255.255.255.0

ip nat inside source list VPN-NAT pool vpn-nat_pool overload

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload

ip nat inside source static tcp 192.168.5.1 80 192.168.160.1 80 extendable

ip nat inside source static tcp 192.168.5.1 2345 192.168.160.1 2345 extendable

ip nat inside source static tcp 192.168.5.1 2346 192.168.160.1 2346 extendable

ip nat inside source static tcp 192.168.5.1 3389 192.168.160.1 3389 extendable

ip nat inside source static tcp 192.168.5.2 80 192.168.160.2 80 extendable

ip nat inside source static tcp 192.168.5.2 2345 192.168.160.2 2345 extendable

ip nat inside source static tcp 192.168.5.2 2346 192.168.160.2 2346 extendable

ip nat inside source static tcp 192.168.5.2 3389 192.168.160.2 3389 extendable

ip nat inside source static tcp 192.168.5.3 80 192.168.160.3 80 extendable

ip nat inside source static tcp 192.168.5.3 2345 192.168.160.3 2345 extendable

ip nat inside source static tcp 192.168.5.3 2346 192.168.160.3 2346 extendable

ip nat inside source static tcp 192.168.5.3 3389 192.168.160.3 3389 extendable

ip nat inside source static tcp 192.168.5.4 80 192.168.160.4 80 extendable

ip nat inside source static tcp 192.168.5.4 2345 192.168.160.4 2345 extendable

ip nat inside source static tcp 192.168.5.4 2346 192.168.160.4 2346 extendable

ip nat inside source static tcp 192.168.5.4 3389 192.168.160.4 3389 extendable

ip route 0.0.0.0 0.0.0.0 190.98.104.45

!

ip access-list extended NAT

deny ip 192.168.5.0 0.0.0.255 10.30.26.0 0.0.0.255

deny ip 192.168.5.0 0.0.0.255 10.30.21.0 0.0.0.255

deny ip 192.168.160.0 0.0.0.255 10.30.26.0 0.0.0.255

deny ip 192.168.160.0 0.0.0.255 10.30.21.0 0.0.0.255

permit ip 192.168.0.0 0.0.15.255 any

ip access-list extended VPN-NAT

permit ip 192.168.5.0 0.0.0.255 10.30.21.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 10.30.26.0 0.0.0.255

ip access-list extended VPN-TRAFFIC

permit ip 192.168.160.0 0.0.0.255 10.30.21.0 0.0.0.255

permit ip 192.168.160.0 0.0.0.255 10.30.26.0 0.0.0.255

!

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address NAT