cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1027
Views
0
Helpful
4
Replies

Hub and Spoke VPN with NAT

rdmedtech
Level 1
Level 1

Hi! I have a hub and spoke VPN network I need to setup for our clients to access. I have 3 endpoints in this example: VPN Concentrator, Pix 515e, and Linksys RV042. The Concentrator is at our parent company's site, the Pix 515e is at our data center, and the RV042 is at the client's site. What I have currently is a VPN connection between our Pix 515e and the Concentrator and another VPN between our Pix 515e and the RV042. What I need is for the server at the client site (RV042) to talk to the Concentrator network through our Pix 515e. I also need the traffic to be NATed so it looks like it's coming from the same network subnet on our Pix 515e to the Concentrator.

Concentrator (SPOKE): 10.1.6.x

Pix 515e (HUB): 172.16.3.x

RV042 (SPOKE): 192.168.71.x

Pix 515e (HUB):

Outside - 12.34.56.78

Inside - 172.16.1.1

Concentrator (SPOKE):

Outside - 87.65.43.21

Inside - 10.1.6.1

RV042 (SPOKE):

Outside - 150.150.150.150

Inside - 192.168.71.1

The Concentrator allows all traffic from my Pix 515e on subnet 172.16.3.x and vice versa. The RV042 allows all traffic from 172.16.3.x to talk to 192.168.71.x and vice versa. I need to route 192.168.71.5 on the RV042 network to 10.1.6.x on the Concentrator network through the Pix 515e and make it look like its coming from 172.16.3.71. So I need to NAT that traffic through the tunnel to another tunnel. Attached running config edited for privacy concerns. Any and all assistance is greatly appreciated.

1 Accepted Solution

Accepted Solutions

kaachary
Cisco Employee
Cisco Employee

On PIX you need a policy static statement,

access-list nat permit ip host 192.168.71.5 10.1.6.0 255.255.255.0

static (outside,outside) 172.16.3.71 192.168.71.5 access-list nat

And modify the crypto ACLs appropriately to include the natted address.

View solution in original post

4 Replies 4

kaachary
Cisco Employee
Cisco Employee

On PIX you need a policy static statement,

access-list nat permit ip host 192.168.71.5 10.1.6.0 255.255.255.0

static (outside,outside) 172.16.3.71 192.168.71.5 access-list nat

And modify the crypto ACLs appropriately to include the natted address.

Thanks for the reply! I added the lines as you said. Do I also need to NAT the traffic coming back from the Concentrator to the RV042? The RV042 only allows one remote subnet as part of the VPN configuration.

I did as you suggested but I get an error. It is denying pings from the 10.1.6.x network. I have an ACL already in place that allows outside traffic from 10.1.6.x to ping anything on 172.16.3.0 but it still is denying it.

What I added:

access-list nat permit ip host 192.168.71.5 object-group Conventrator-VPN

static (outside,outside) 172.16.3.71 access-list nat 0 0

Any other suggestions?

rdmedtech
Level 1
Level 1

In case someone else runs across this, I got it working with the changes suggested that I made and adding one additional line:

same-security-traffic permit intra-interface

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: