04-02-2008 12:29 AM - edited 02-21-2020 03:38 PM
A router is making an ipsec connection to two different routers over internet.
Only a singe ip lets say 172.20.18.25 is allowed over vpn
Is it possible to nat the ip to two different ips for each vpn
04-02-2008 03:35 AM
Yes it is although you don't say which device. Assuming a pix/asa you can use policy NAT.
VPN1 remote subnet = 172.16.5.0/24
VPN2 remote subnet = 192.168.5.0/24
access-list vpn1 permit ip host 172.20.18.25 172.16.5.0 255.255.255.0
access-list vpn2 permit ip host 172.20.18.25 192.168.5.0 255.255.255.0
nat (inside) 2 access-list vpn1
nat (inside) 3 access-list vpn2
global (outside) 2 10.5.1.10
global (outside) 3 10.6.1.10
So when going to VPN1 the host 172.20.18.25 would get translated to 10.5.1.0 and if going to VPN2 host gets translated to 10.6.1.10.
Last thing to note. In your crypto access-list that defines which traffic to encrypt you need to refer to the Natted address and not the original one ie.
access-list vpnt1 permit ip host 10.5.1.10 172.16.5.0 255.255.255.0
access-list vpnt2 permit ip host 10.6.1.10 192.168.5.0 255.255.255.0
Jon
04-02-2008 04:14 AM
thanx for your reply ..
im using 3825 isr .. so its an ios device.
can u help me out with the configs on the router
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide