cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1149
Views
0
Helpful
1
Replies

IOS IPSEC VPN NAT with overlapping networks

clinicare-ca
Level 1
Level 1

I am trying to do a IPSEC VPN between 2 sites (Main Site and Remote Site). We need NAT due to conflicting networks.

We are doing all the NAT at the Remote site, and zero natting at the Main Site. I do need bi-directional NAT.


What I am trying to accomplish is bi-directional NAT as well as PAT working for these hosts to access the internet.

Network info:

Main Site: 1.1.1.0 /24

Remote site Actual network: 192.168.1.0 /24

Remote site NAT: 172.16.1.0 /24

So I am trying to NAT 192.168.1.0 to 172.16.1.0

This is what I have tried so far and my results:

  1. I have used a route-map to NAT the remote site from 192.168.1.0 to 172.16.1.0 only when it goes to the 1.1.1.0 /24 network.
    1. NAT works fine from Remote -> Main, and PAT works fine for 192.168.1.0 /24 hosts to the internet.
      1. I used a NAT pool with a type match-host to maintain the host octet.
    2. NAT does not work from Main Site to Remote site, unless the remote site establishes a NAT entry, which is not feasible in our environment.
  2. I have used a static nat entry using network: ip nat inside source static network 172.16.1.0 192.168.1.0 /24 extendable no-alias
    1. This works exactly as expected in terms of bi-rirectional NAT, I am able to ping from the main and remote sites without needing NAT established, due to the fact this is a static NAT.
    2. The problem with this one is, PAT no longer works, we have the usual PAT setup using a route-map and overloaded nat statement for our internet facing interface.

I think I am going about this the right way, but any thoughts or comments would be helpful to help me solving this problem.

1 Reply 1

oszkari
Level 1
Level 1

Could you post some configs?

Regards,
Oszkar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: