Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
0
Helpful
5
Replies

NAT with VPN

Go to solution
ithelpdesk
Level 1
Level 1

‎08-16-2012 07:19 PM

Okay I hope I can sound straight forward with this question.  I have site to site VPN setup with a client. This is my ipsec gateway 199.178.216.5 (outside interface).  I gave them encryption domain of 199.178.216.5. Here is what my nat command statements look like:

nat-control

global (outside) 1 199.178.216.100

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

My question is does the VPN tunnel nat to 199.178.216.100?  Can I make global (outside) 1 199.178.216.5 for just this tunnel?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-17-2012 12:26 AM

yes you can..

You can configure policy NAT.

For example, your local subnet is 10.10.10.0/24, and remote subnet is 192.168.10.0/24, and you would like to NAT your local subnet of 10.10.10.0/24 to 199.178.216.5.

access-list nat-to-clientvpn permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 2 access-list nat-to-clientvpn

global (outside) 2 199.178.216.5

Then "clear xlate" after the above changes.

Assuming that the traffic is always initiated from your end to access the remote end. The remote end can't initiate a connection towards your end.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-17-2012 12:26 AM

yes you can..

You can configure policy NAT.

For example, your local subnet is 10.10.10.0/24, and remote subnet is 192.168.10.0/24, and you would like to NAT your local subnet of 10.10.10.0/24 to 199.178.216.5.

access-list nat-to-clientvpn permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 2 access-list nat-to-clientvpn

global (outside) 2 199.178.216.5

Then "clear xlate" after the above changes.

Assuming that the traffic is always initiated from your end to access the remote end. The remote end can't initiate a connection towards your end.

0 Helpful

Go to solution
ithelpdesk
Level 1
Level 1
In response to Jennifer Halim

‎08-24-2012 07:41 AM

Thanks to everyone that helped!!!

0 Helpful

Go to solution
abcdrohan
Level 1
Level 1

‎08-17-2012 06:04 AM

This is what you will need:

Assuming your local subnet is 192.168.10.0/24 and remote subnet is 192.168.20.0/24

create acl

acl policy_nat_acl extended permit ip 192.168.10/0/24  to 192.168.20.0/24

nat (inside) 2 access-list policy_nat_acl

global (outside) 2  199.178.216.100

crypto acl in crypto map will be

acl crypto_acl permit ip host 199.178.216.100 to 192.168.20.0/24

make sure that traffic from

192.168.10.0/24 to 192.168.20.0/24 is NOT a part of nat excemption acl

Only your side will be able to initiate the tunnel.

0 Helpful

Go to solution
ithelpdesk
Level 1
Level 1

‎08-27-2012 06:12 AM

One more question; can I have another VPN tunnel nat to the same address 199.178.216.5?  When I try to add the following statement: nat (inside) 2 access-list nat-to-newvpntunnel I get this message "Only one access-list can be associated with each Nat ID"

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ithelpdesk

‎08-27-2012 06:57 PM

You can just use the existing access-list and add another acl line.

If your existing NAT acl is called "nat-to-clientvpn", just add another line with the same name for the other VPN tunnel.

0 Helpful
Customers Also Viewed These Support Documents