How to NAT all traffic into a single IP before sending it thru the tunnel?

northtexasnetworks · ‎08-23-2011

Hello,

I need to cofigure a site-to-site VPN using a Cisco 881 router on my end and connecting to an ASA5510 on my suppliers end.

Our supplier has configured their end and I do not have access to their configuration.

They told us we have to NAT all inside address' to a single address (192.168.89.1) as this is the only one they will let through their firewall/tunnel.

I know how to set up the VPN but not too sure how to set up the NAT part.

My sanatized config is attached. Can you please tell me if the code I am using to NAT my inside network to the single address 192.168.89.1, and send all traffic accross the VPN tunnel as this address is correct? If it is not correct can you please offer suggestions as the best way to do this?

With the router running this config the VPN tunnel does not connect.

Thanks in advance!

Mitchell Smith

North Texas Networks.

Jennifer Halim · ‎08-23-2011

The NAT statements are absolutely spot on correct.

The incorrect bit is the static route statement:

ip route 10.254.254.0 255.255.255.0 122.169.107.22 permanent

Please remove the above route as it should just use the default route.

Please also clear the NAT translation if you haven't already, and test again.

If it still doesn't work, please share the output of:

show cry isa sa

show cry ipsec sa

to see where it breaks.

northtexasnetworks · ‎08-24-2011

Hi Jennofer,

Thanks for your reply. I removed the static route and cleared cleared NAT as you suggested.

I still cannot ping the hosts at the other end and the tunnel is not up. Attached is the show crypto you asked to see.

My gut feeling is the problem is at the other end but the people will not share their config with us.

Thanks,

Mitchell