Re: L2L VPN with IP translation

Riccardo Veraldi · ‎02-05-2011

Hello,

I need to establish a Lan to Lan VPN bt at the same time my local subnet has to be presented to the other side of the TUNNEL

with different IP numbering scheme. I know this is possible with ASAs, but I do not know if this is possible with a router

I have a cisco 1821 router.

My local LAN: 192.168.203.0/24

Traffic toward destionation 10.174.0.0/16 must go inside the VPN tunnel, and this is the easy part

the problem is that remotely my IP addresses of my local LAN must be translated to 10.178.54.224/27

So my question is, this: when I write the ACL for interesting VPN traffic do I have to use my local IP 192.168.203.0/24

or do I have to use the natted IPs 10.178.54.224/27 ?

Besides I also must have a normal NAT rule to NAT my default traffic in overload mode for NON VPN packets going outside

is this nat rule set correct ?

! pool to wich my subnet must be translated to the other side of the VPN

ip local pool SEATpool 10.178.54.224 10.178.54.254

!

! normal nat for my LAN

ip nat inside source list 101 interface FastEthernet0/1 overload

!

! specific NAT for destination 10.174.0.0/16 -> 10.178.54.224/27 the outside interfaces is always Fa0/1
ip nat inside source list SEATnat pool SEATpool

!

! access list to match interesting traffic for specifica NAT

ip access-list extended SEATnat
permit ip 192.168.203.0 0.0.0.255 10.174.0.0 0.0.255.255

!

! access list for normal default NAT

access-list 101 deny ip 192.168.203.0 0.0.0.255 10.174.0.0 0.0.0.255

access-list 101 permit ip 192.168.203.0 0.0.0.255 any

If the nat configuration above is correct now if I have to write the ACL for the L2L VPN.

is this ACL correct for matching interesting VPN traffic with IP translation ?

access-list 103 permit ip 10.178.54.224 0.0.0.31 10.174.0.0 0.0.255.255

or is it wrong ? Do I have instead to write this ?

access-list 103 permit ip 192.168.203.0 0.0.0.255 10.174.0.0 0.0.255.255

thank you

Riccardo

Jennifer Halim · ‎02-05-2011

Yes, your NAT statement looks absolutely correct and you are at the right track.

For the crypto ACL, you would need to match it against the NATed ip address as follows:

access-list 103 permit ip 10.178.54.224 0.0.0.31 10.174.0.0 0.0.255.255

Hope that helps.

Riccardo Veraldi · ‎02-14-2011

Hello,

I tried to do all this in my production system but it does not work.

I first did NAT for my destinations and then applied VPN ACL for the natted addresses but it does not work.

Actually packets does not reach the remore VPN peer.

Looks like what I Cando with ASA it cannot be done with normal cisco router ?

where could be my mistake ?

normally I can establish a VPN tunnel with remote peer when I do not NAT my LAN, but if I Include nat

it does not work.

I write down my configuration.

Simply my LAN is 192.168.203.0/24 and I have to be translated to 10.178.54.224/27

for VPN lan to LAN to destination 10.174.0.0/16. my peer is 80.x.y.z

the configuration below looks ok to me but it does not work, no IP packets reach my peer 80.x.y.z

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!

crypto isakmp key ********* address 80.x.y.z

!

crypto ipsec transform-set SEATset esp-3des esp-md5-hmac

!

crypto map vpn-lan2lan-cli 5 ipsec-isakmp
set peer 80.x.y.z
set transform-set SEATset
match address SEATvpnACL

!

interface FastEthernet0/0
ip address 192.168.203.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!

interface FastEthernet0/1
ip address 89.a.b.c 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn-lan2lan-cli

!

ip local pool SEATpool 10.178.54.224 10.178.54.254
!

ip route 0.0.0.0 0.0.0.0 89.a.b.h
!

ip nat inside source list SEATnat pool SEATpool overload
ip nat inside source list defaultNAT interface FastEthernet0/1 overload
!

ip access-list extended SEATnat
permit ip 192.168.203.0 0.0.0.255 10.174.0.0 0.0.255.255
deny ip 192.168.203.0 0.0.0.255 any
!

ip access-list extended SEATvpnACL
permit ip 10.178.54.224 0.0.0.31 10.174.0.0 0.0.255.255
!

ip access-list extended defaultNAT
deny ip 192.168.203.0 0.0.0.255 10.174.0.0 0.0.255.255
permit ip 192.168.203.0 0.0.0.255 any
!

maybe I do some mistake in my config ?

thank you

Riccardo

gbaptist · ‎02-22-2011

Hi Ricardo,

From the configurations, I see that you are rightly translating the 192.168.203.0/24 network to 10.178.54.224/27 while going to the network 10.174.0.0/16 using the following commands:

ip local pool SEATpool 10.178.54.224 10.178.54.254

ip nat inside source list SEATnat pool SEATpool overload

But I also see that you have configured a Nat Exempt rule which is not required as you want the local network to get translated. Hence I would like you to remove the nat exempt statement as done below:

ip access-list extended defaultNAT
no deny ip 192.168.203.0 0.0.0.255 10.174.0.0 0.0.255.255

Please let me know if this helped

Regards,

Glenn