05-09-2013 11:38 PM - edited 02-21-2020 06:53 PM
Hello all,
I need to change my actual vpn configuration from lan-to-lan in host-to-lan and I have few questions. Maybe someone from here can help me.
Actual configuration:
SITE A:
- cisco 892
- subnet: 192.168.1.0/24
SITE B:
- cisco concentrator 3000
- subnet 192.168.2.0/24
I have access only on SITE A router.
In this moment all clients from site A can reach site B and vice versa.
Here is my acl from SITE A router:
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Now I need to change the vpn config in:
- ipsec vpn should be configured between 192.168.2.0/24 (SITE B) and 10.1.1.1/32 ( ip used for nat all clients from SITE A to SITE B)
Acl from SITE A router shoul become:
permit ip host 10.1.1.1 192.168.2.0 0.0.0.255.
All clients from SITE A who want to reach SITE B are nat-ed through 10.1.1.1. SITE B can not reach SITE A subnet, only 10.1.1.1
Now the questions :
ip address 10.1.1.1 shoul be configured on a loopback interface ?
How do I do the nat configuration ?
Thanks a lot.
Solved! Go to Solution.
05-10-2013 04:01 AM
Hello Richard,
10.1.1.1 will be configured on loopback interaface. Below is basic config ->
interface Loopback0
ip address 10.1.1.1 255.255.255.255
ip nat outside
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 23.0.0.2 255.255.255.0
ip nat outside
crypto map CMAP
!
ip nat inside source list VPN_NAT_ACL interface Loopback0 overload
!
ip access-list extended VPN_NAT_ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended VPN_TRAFFIC_ENCRYPT
permit ip host 10.1.1.1 192.168.2.0 0.0.0.255
Best Regards
Please rate all helpful posts and close solved questions
05-10-2013 04:01 AM
Hello Richard,
10.1.1.1 will be configured on loopback interaface. Below is basic config ->
interface Loopback0
ip address 10.1.1.1 255.255.255.255
ip nat outside
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
ip address 23.0.0.2 255.255.255.0
ip nat outside
crypto map CMAP
!
ip nat inside source list VPN_NAT_ACL interface Loopback0 overload
!
ip access-list extended VPN_NAT_ACL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended VPN_TRAFFIC_ENCRYPT
permit ip host 10.1.1.1 192.168.2.0 0.0.0.255
Best Regards
Please rate all helpful posts and close solved questions
05-10-2013 05:19 AM
Thank you a lot.
I've made almost the same configuration before posting, I did not set the nat outside on the wan interface.
Setting nat outside on wan, seems to do the job.
I have one litle problem now: I can not reach 10.1.1.1 from SITE B.
05-10-2013 05:56 AM
Well you should reach it. Is routing on site B OK? Check please ACL which identifies interesting traffic for IPsec, it should look like this:
ip access-list extended VPN_TRAFFIC_ENCRYPT
permit ip 192.168.2.0 0.0.0.255 host 10.1.1.1
NOT like this
ip access-list extended VPN_TRAFFIC_ENCRYPT
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Best Regards
Please rate all helpful posts and close solved questions
05-10-2013 08:18 AM
Tunnel was up before the nat, also I was able to ping from SITE B 10.1.1.1.
After the nat, tunnel is still up, I can ping SITE B from SITE A but SITE B can not ping 10.1.1.1
If I disable the NAT on SITE A router, then ping to 10.1.1.1 from SITE B is working.
05-10-2013 10:58 AM
Can you provide configuration of site A, possibly site B if you have access?
Best Regards
Please rate all helpful posts and close solved questions
05-12-2013 11:08 PM
Sorry, my mistacke. I've had an wrong acl set.
Ping is working from SITE B to SITE A as well.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide