Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
0
Helpful
2
Replies

Problem with nat session between remote users and site behind a ipsec tunnel.

Alejandro Sanchez
Level 1
Level 1

‎12-18-2011 12:56 AM - edited ‎02-21-2020 05:46 PM

Hi all,

I would like to know what is necessary in my cisco ios easy vpn  configuration in order to allow remote users access to more than one  server on site B. I set up the Easy VPN configuration with the DVTI,but i have the issue that :  Remote users can initiate just one IP session with hosts of site B (just  one nat translation is available).

Trafic from site A to site B  has to be natted on an IP address in order to be allowed by site B  router.I set up the router in site A as describe below:

ip nat pool REMOTO_SERVI 172.18.235.33 172.18.235.33 netmask 255.255.255.0

ip nat inside source route-map REMOTO_SERVI pool REMOTO_SERVI overload

access-list 105 permit ip 192.168.98.0 0.0.0.255 172.18.240.0 0.0.15.255

access-list 105 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

route-map REMOTO_SERVI permit 10

match ip address 105

Is this possible ?

This is the topology scheme:

EASY_VPN.jpg

Can anyone help me ?

Thanks in advance,

Labels:
0 Helpful
2 Replies 2

mopaul
Cisco Employee
Cisco Employee

‎12-18-2011 02:42 AM

I see an issue with the statement below

access-list 105 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

I understand that you want all your user traffic from site A 192.168.98.0/24 should go PAT (or NAT overload) to 172.18.235.33 over the ipsec tunnel to access servers on Site B (172.18.240.0 0.0.15.255). If this is correct, then do following config.

config t

no access-list 105 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

Create a new access rule, lets say 106 (considering there is no access rule106, if yes, you can use any other name of acl rule below)

access-list 106 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

Now, call access-list 106 under crypto configuration to match the vpn traffic. The router on site B should have a reverse of acl 106 for VPN.

HTH

Please do rate all helpful posts

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful

Alejandro Sanchez
Level 1
Level 1
In response to mopaul

‎12-19-2011 01:12 AM

Hi Mopaul,

thanks for your quick reply ....

The problem that i am facing is located in the translation from the remote users of site A to site B.

I already stablished an ipsec tunnel between site A and site B and it is working fine (lan of site A: 192.168.3.0/24 - LAN of site B: 172.18.240.0/20). Traffic from site A to site B is natted overload in ip address 172.18.235.33 in order to be accepted from site B.

Site A router is also an easy vpn server for remote users. These remote users (192.168.98.0/24) have to do the same process of site A lan users in order to connect to site B servers (remote users have to be natted overload in ip address 172.18.235.33 to access site B), here is where i have the problem. Sometimes i can stablished two different session from remote users to two servers of site B , but the majority of the time (99% of the time) I can only stablished one session, the other one throws an error.

if i look at the sh ip nat statistics :

pool REMOTO: netmask 255.255.255.0

        start 172.18.235.33 end 172.18.235.33

        type generic, total addresses 1, allocated 1 (100%), misses 132

I don´t really know what is going on with the configuration.

Is it more clear now ?

Thanks

0 Helpful
Customers Also Viewed These Support Documents