cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
0
Helpful
0
Replies
Highlighted
Beginner

NAT interesting traffic with IPSEC Site-to-Site on routers

How do I NAT interesting traffic going through a L2L tunnel? The NAT'ing happens on the same router that it the L2L tunnel terminates on. Below is the config for the two routers. I have an ISP in between, but everything is routing and working correctly w/o the NAT. Once I enable the NAT, my tunnel breaks. All other traffic needs to PAT to an interface, I have a NAT exemption, for the LAN of the L2L, and built a separate SNAT for the VPN L2L traffic.

ROUTER1 >>>>> ISP <<<<<< ROUTER2

PAT 10.200.0.0/16 OVERLOAD w/exception of 10.200.10.10 (that's the server that is considered interesting traffic to the tunnel)

SNAT 10.200.10.10 to 10.200.10.100

I removed all unnecessary configs such as routing and the server on corp network, as the tunnel works w/o the NAT, but fails w/the NAT.

 

**************************************************************************************************************

hostname VENDOR

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco address 1.100.50.1
!
!
crypto ipsec transform-set VENDOR2 ah-md5-hmac esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map VENDOR 10 ipsec-isakmp
 description VENDOR2
 set peer 1.100.50.1
 set security-association dummy pps 20
 set transform-set VENDOR2
 set pfs group24
 match address 100
!
!
!
interface Ethernet2/1
 description VPN PEER
 ip address 192.168.118.2 255.255.255.252
 duplex full
!
interface Ethernet2/2
 description ISP
 ip address 1.100.118.1 255.255.255.252
 duplex full
 crypto map VENDOR
!
!
!
ip route 0.0.0.0 0.0.0.0 Ethernet2/2 1.100.118.2
!
access-list 100 permit ip host 50.50.50.50 host 10.200.10.10
access-list 100 permit ip host 50.50.50.50 host 10.200.10.100 log-input
access-list 103 permit ip any host 50.50.50.50 log-input

 **********************************************************************************************************

 

 


!
object-group network Local-LAN
!
object-group network VPN-LAN
 description NAT'd
 host 10.200.10.100
 host 10.200.10.10
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 5
crypto isakmp key cisco address 1.100.118.1
!
!
crypto ipsec transform-set VENDOR2 ah-md5-hmac esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map VENDOR 10 ipsec-isakmp
 description VENDOR2
 set peer 1.100.118.1
 set security-association dummy pps 20
 set transform-set VENDOR2
 set pfs group24
 match address 100
!
!
interface Ethernet2/0
 description CORP
 ip address 10.200.50.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 duplex full
!
interface Ethernet2/5
 description ISP
 ip address 1.100.50.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex full
 crypto map VENDOR
!

!
interface Ethernet2/5
 description ISP
 ip address 1.100.50.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex full
 crypto map VENDOR
!

ip nat Stateful id 100
ip nat inside source list 10 interface Ethernet2/5 overload
ip nat inside source static network 10.200.10.10 10.200.10.100 /32 no-alias
ip route 10.200.10.100 255.255.255.255 Null0
!
access-list 1 permit 10.200.10.10
access-list 10 deny   10.200.10.10
access-list 10 permit 10.200.0.0 0.0.255.255 log
access-list 100 remark IPSEC
access-list 100 permit ip object-group VPN-LAN host 50.50.50.50 log-input

 ************************************************************************************************************

Everyone's tags (2)