cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
812
Views
0
Helpful
4
Replies

IOS IPSEC VPN with NAT - Translation Problem

csimmons
Level 1
Level 1

I am having with an issue with an IOS IPSEC VPN configuration.

/*

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key TEST123 address 205.xx.1.4

!

!

crypto ipsec transform-set CHAIN esp-3des esp-sha-hmac

!

!

crypto map CRYPTO-MAP 10 ipsec-isakmp

set peer 205.xx.1.4

set transform-set CHAIN

match address 115

!

interface FastEthernet0/0

description TO EDGE ROUTER

ip address 208.xx.xx.33 255.255.255.252

ip nat outside

crypto map CRYPTO-MAP

!

interface FastEthernet0/1

description INTERNAL NETWORK

ip address 10.15.2.4 255.255.255.0

ip nat inside

access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.1.0 0.0.0.3

*/

(This configuration is incomplete / NAT configuration needed)

Here is the solution I am looking for:

When a session is initiated from the “Internal Network” to the “IPSEC Remote - 172.xx.1.0/30” network I want the “10.15.0.0/16” address scheme to translate to the NAT addresses “192.xx.xx.128/30” before routing over the IPSEC VPN Tunnel.

Please see "ATTACHED DIAGRAM" for more information.

Any help is greatly appreciated!

Thanks,

Clint Simmons

Network Engineer

2 Accepted Solutions

Accepted Solutions

Karks Raja
Level 1
Level 1

You can try the following NAT+route map approach(2nd method in this link)

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thanks,

Raja K

View solution in original post

rkalia1
Level 1
Level 1

Probably you need the following:

ip access-list extended NAT

permit ip 10.15.0.0 255.255.0.0 172.xx.1.0

255.255.255.252

route-map NAT_TO_172.xx.1.0 permit 10

match address NAT

ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130

View solution in original post

4 Replies 4

Karks Raja
Level 1
Level 1

You can try the following NAT+route map approach(2nd method in this link)

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

Thanks,

Raja K

rkalia1
Level 1
Level 1

Probably you need the following:

ip access-list extended NAT

permit ip 10.15.0.0 255.255.0.0 172.xx.1.0

255.255.255.252

route-map NAT_TO_172.xx.1.0 permit 10

match address NAT

ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130

Thanks for the response. I did try this approach before. However I will clear the NAT configuration and try again...

/*

ip nat pool CRYPTO-POOL 192.xx.xx.129 192.xx.xx.130 prefix-length 30

ip nat inside source route-map CRYPTO-MAP pool CRYPTO-POOL overload

access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.xx.0 0.0.0.3

access-list 186 permit ip 10.15.2.0 0.0.0.255 172.xx.xx.0 0.0.0.3

route-map CRYPTO-MAP permit 10

match ip address 186

*/

I will respond with the new results later.

Thanks,

Clint

Looks like the problem is resolved per the instructions above.

Thanks for all the help!

Clint

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: