Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
779
Views
0
Helpful
3
Replies

NATing Traffic from S2S VPN with one interface

Go to solution
steffenfenger
Level 1
Level 1

‎02-24-2023 01:46 AM

Hello Everyone,

i have some Trouble to get NAT working on my Cisco C921-4P 15.8(3)M2. 

Here my Network Overview:

ASA Firepower 1120 (172.16.1.254/24)<->[VPN to C921] <-> 3rd party Router <-> C921 (192.168.10.33/24). The ipsec VPN is working fine. I have access to the Router behind ASA.

My Problem is to reach the Hosts in 192.168.10.0/24 without add routes in Hosts or 3rd Party Router. So i would like to NAT a specific Source IP from 172.16.1.0/24 Network to the Router IP to reach any Host in 192.168.10.0/24.

For example:

S: 172.16.1.56 D:192.168.10.0/24 -> NAT -> S: 192.168.10.33  192.168.10.0/24.

I have found only examples with inside and outside Interfaces, but in my case the Router runs with one IF.

 

Here the Router Config:

crypto ikev2 proposal ulo_default_proposal
encryption aes-gcm-256
prf sha256
group 19 20 21
!
crypto ikev2 policy ulo_default_policy
match address local 192.168.10.33
proposal ulo_default_proposal
!
!
crypto ikev2 profile ulo_vpn_profile
match address local 192.168.10.33
match identity remote address 1.1.1.1 255.255.255.255
authentication remote pre-share key 12345
authentication local pre-share key 12345
lifetime 28800
!
!
!
!
!
crypto ipsec security-association lifetime kilobytes disable
!
crypto ipsec transform-set ulo_default_transform-set esp-gcm 256
mode tunnel
!
!
!
crypto map ulo_vpn 200 ipsec-isakmp
set peer 1.1.1.1
set transform-set ulo_default_transform-set
set pfs group21
set ikev2-profile ulo_vpn_profile
match address 122
!
!
!
!
!
interface GigabitEthernet0
switchport access vlan 70
switchport mode access
no ip address
no mop enabled
!
interface GigabitEthernet1
switchport access vlan 1000
switchport mode access
no ip address
!
interface GigabitEthernet2
no ip address
shutdown
!
interface GigabitEthernet3
no ip address
shutdown
!
interface GigabitEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet5
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan70
no ip address
!
interface Vlan1000
ip address 192.168.10.33 255.255.255.0
crypto map ulo_vpn
!
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.10.254
ip route 172.16.1.0 255.255.255.0 192.168.10.254 permanent
ip route 192.168.140.0 255.255.255.0 192.168.138.254
ip ssh version 2
ip scp server enable
!
ip sla 100
icmp-echo 172.16.1.90 source-interface Vlan1000
ip sla schedule 100 life forever start-time now
ipv6 ioam timestamp
!
!
access-list 122 permit ip 192.168.10.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 122 permit ip 172.16.1.0 0.0.0.255 192.168.10.0 0.0.0.255

 

Thanks for Help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to steffenfenger

‎02-24-2023 06:20 AM

no there is other solution but it need LO and FPR (as I know until now) not support LO. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎02-24-2023 04:21 AM

change the VPN you use from S2S policy VPN to VTI route VPN. 
this will give you additional IP header which is know by 3rd party router. 

0 Helpful

Go to solution
steffenfenger
Level 1
Level 1
In response to MHM Cisco World

‎02-24-2023 05:32 AM

Hi,

thanks for reply. Is VTI the only way i can solve my Problem? 

i have not realize VTI with cisco yet.

Kind regards

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to steffenfenger

‎02-24-2023 06:20 AM

no there is other solution but it need LO and FPR (as I know until now) not support LO. 

0 Helpful
Customers Also Viewed These Support Documents