12-12-2008 09:45 AM - edited 02-21-2020 04:04 PM
I am having with an issue with an IOS IPSEC VPN configuration.
/*
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TEST123 address 205.xx.1.4
!
!
crypto ipsec transform-set CHAIN esp-3des esp-sha-hmac
!
!
crypto map CRYPTO-MAP 10 ipsec-isakmp
set peer 205.xx.1.4
set transform-set CHAIN
match address 115
!
interface FastEthernet0/0
description TO EDGE ROUTER
ip address 208.xx.xx.33 255.255.255.252
ip nat outside
crypto map CRYPTO-MAP
!
interface FastEthernet0/1
description INTERNAL NETWORK
ip address 10.15.2.4 255.255.255.0
ip nat inside
access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.1.0 0.0.0.3
*/
(This configuration is incomplete / NAT configuration needed)
Here is the solution I am looking for:
When a session is initiated from the âInternal Networkâ to the âIPSEC Remote - 172.xx.1.0/30â network I want the â10.15.0.0/16â address scheme to translate to the NAT addresses â192.xx.xx.128/30â before routing over the IPSEC VPN Tunnel.
Please see "ATTACHED DIAGRAM" for more information.
Any help is greatly appreciated!
Thanks,
Clint Simmons
Network Engineer
Solved! Go to Solution.
12-12-2008 10:39 AM
You can try the following NAT+route map approach(2nd method in this link)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thanks,
Raja K
12-12-2008 12:48 PM
Probably you need the following:
ip access-list extended NAT
permit ip 10.15.0.0 255.255.0.0 172.xx.1.0
255.255.255.252
route-map NAT_TO_172.xx.1.0 permit 10
match address NAT
ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130
12-12-2008 10:39 AM
You can try the following NAT+route map approach(2nd method in this link)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
Thanks,
Raja K
12-12-2008 12:48 PM
Probably you need the following:
ip access-list extended NAT
permit ip 10.15.0.0 255.255.0.0 172.xx.1.0
255.255.255.252
route-map NAT_TO_172.xx.1.0 permit 10
match address NAT
ip nat inside source route-map NAT_TO_172.xx.1.0 pool 192.xx.xx.129 192.xx.xx.130
12-12-2008 01:06 PM
Thanks for the response. I did try this approach before. However I will clear the NAT configuration and try again...
/*
ip nat pool CRYPTO-POOL 192.xx.xx.129 192.xx.xx.130 prefix-length 30
ip nat inside source route-map CRYPTO-MAP pool CRYPTO-POOL overload
access-list 115 permit ip 192.xx.xx.128 0.0.0.3 172.xx.xx.0 0.0.0.3
access-list 186 permit ip 10.15.2.0 0.0.0.255 172.xx.xx.0 0.0.0.3
route-map CRYPTO-MAP permit 10
match ip address 186
*/
I will respond with the new results later.
Thanks,
Clint
12-18-2008 10:15 AM
Looks like the problem is resolved per the instructions above.
Thanks for all the help!
Clint
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: