02-20-2015 01:12 AM
Hi,
I have been asked to create a vpn with a external customer, they want me to NAT our internal addresses to public address, why would they want us to do this ? We need to allow several network subnets across the tunnel, is it possible to to use PAT for this config? We user a CISCO 2821 for our vpn endpoint. Any help would be much appreciated.
02-20-2015 09:32 AM
Hi there,
Please follow the example shown below.
http://www.booches.nl/2009/01/policy-nat-on-cisco-router/
This will help you.
thanks
02-22-2015 10:57 AM
This all boil down few policy-nat statement for vpn-bound traffic.
This example might help you.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ip nat pool mypublic-ip 1.1.1.1 netmask 255.255.255.255
access-list extended MY-Internal-LAN-access-remote-lan
permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
ip access-list extended VPN-R2
permit ip host 1.1.1.1 172.16.2.0 0.0.0.255
ip nat inside source list MY-Internal-LAN-access-remote-lan pool mypublic-ip overload
crypto map CM-VPN-R2 10 ipsec-isakmp
set peer 212.123.212.10
set transform-set VPN-TS
match address VPN-R2
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
02-22-2015 10:57 AM
Imagine what a number of VPN peers a big enterprise has. Most of them would use the most common private subnets like 10.1.1.0 or 192.168.1.0 . It is quite sensible that the network admin prefers to avoid any potential overlapping by requiring to PAT to a public address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide