NAT internal ip to public in a vpn tunnel

markleibbrandt · ‎02-20-2015

Hi,

I have been asked to create a vpn with a external customer, they want me to NAT our internal addresses to public address, why would they want us to do this ? We need to allow several network subnets across the tunnel, is it possible to to use PAT for this config? We user a CISCO 2821 for our vpn endpoint. Any help would be much appreciated.

rizwanr74 · ‎02-20-2015

Hi there,

Please follow the example shown below.

http://www.booches.nl/2009/01/policy-nat-on-cisco-router/

This will help you.

thanks

rizwanr74 · ‎02-22-2015

This all boil down few policy-nat statement for vpn-bound traffic.

This example might help you.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ip nat pool mypublic-ip 1.1.1.1 netmask 255.255.255.255

access-list extended MY-Internal-LAN-access-remote-lan
permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255

ip access-list extended VPN-R2
permit ip host 1.1.1.1 172.16.2.0 0.0.0.255

ip nat inside source list MY-Internal-LAN-access-remote-lan pool mypublic-ip overload

crypto map CM-VPN-R2 10 ipsec-isakmp
set peer 212.123.212.10
set transform-set VPN-TS
match address VPN-R2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Peter Koltl · ‎02-22-2015

Imagine what a number of VPN peers a big enterprise has. Most of them would use the most common private subnets like 10.1.1.0 or 192.168.1.0 . It is quite sensible that the network admin prefers to avoid any potential overlapping by requiring to PAT to a public address.