Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
8
Replies

Site to site tunnel vpn traffic wit policy nat

teymur azimov
Level 1
Level 1

‎03-04-2013 07:39 AM

Hi dears. I want to configuration site to site vpn. The remote site need our local subnet must  10.193.115.0/24 traffic.

My local subnet 10.103.70.0/24. this subnet is also must be access to internet.

local subnet: 10.103.70. must be nat to 10.193.115.0 subnet at vpn traffic.

this is my configuration. is this correct config?  i confuse that my local subnet done twice nat. dynamic and pat. how is this working?

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

ip nat inside source list 100 interface GigabitEthernet0/0 overload                            ----Access to internet.(PAT)

for vpn traffic:

ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240                         for vpn traffic.

  ip nat inside source list nat-ipsec pool mswpool

ip access-list extended vpn-traffic

permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255

ip access-list extended nat-ipsec

permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

Labels:
0 Helpful
8 Replies 8

jawad-mukhtar
Level 4
Level 4

‎03-04-2013 09:59 AM

For VPN

ip nat pool mswpool 10.193.115.1 10.193.115.254 prefix-length 24 type match-host

ip access-list extended NAT-ACL

permit ip 10.103.70.0 0.0.0.255 10.193.115.0 0.0.0.255

ip nat inside source list NAT-ACL pool mswpool overload

ip access-list extended vpn-acl

permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255

** Do Rate Helpful Posts***

Jawad
0 Helpful

teymur azimov
Level 1
Level 1
In response to jawad-mukhtar

‎03-04-2013 10:28 AM

thank for reply me. please consider that my local user must access internet at same time and i do not need to do any change to pat nat configuration. am i right?

at last my config like that:

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

ip nat inside source list 100 interface GigabitEthernet0/0 overload                            ----Access to internet.(PAT)

For VPN

ip nat pool mswpool 10.193.115.1 10.193.115.254 prefix-length 24 type match-host

ip access-list extended NAT-ACL

permit ip 10.103.70.0 0.0.0.255 10.193.115.0 0.0.0.255

ip nat inside source list NAT-ACL pool mswpool overload

ip access-list extended vpn-acl

permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255


0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to teymur azimov

‎03-04-2013 10:47 AM

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

It will be Same

*** Do Rate Helpful Posts***

Jawad
0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to jawad-mukhtar

‎03-04-2013 10:52 AM

For VPN

ip nat pool mswpool 10.193.115.1 10.193.115.254 prefix-length 24 type match-host

ip access-list extended NAT-ACL

permit ip 10.103.70.0 0.0.0.255 10.193.128.0 0.0.1.255

ip nat inside source list NAT-ACL pool mswpool overload

ip access-list extended vpn-acl

permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255

For Internet

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

Jawad
0 Helpful

teymur azimov
Level 1
Level 1
In response to teymur azimov

‎03-04-2013 10:51 AM

i check access list as you chanted it but i think that is not correct because

ip access-list extended NAT-ACL

permit ip 10.103.70.0 0.0.0.255 10.193.115.0 0.0.0.255

it must be like that

ip access-list extended nat-ipsec

permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

local user: 10.103.70.0/24

remote user:10.193.128.0.23

and remote side is need our local traffic must be 10.193.115.0/24

am i right?

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to teymur azimov

‎03-04-2013 10:54 AM

Yes u re rite i have corrected above.

Jawad
0 Helpful

teymur azimov
Level 1
Level 1
In response to jawad-mukhtar

‎03-04-2013 10:58 AM

i have one more question

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

this access list for internet access but i write

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

10.103.70.0 translate to 10.193.115.0 when they go 10.193.128.0 ok? so why i need

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255 line?

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to teymur azimov

‎03-04-2013 11:09 AM

Because all of your traffic will be diverted toward Internet deny will exclude VPN traffic.

In simple world it will be natted by your public ip so you are exclulding 10.193.128.0 not to nat with public ip.

*** Do Rate Helpful Posts***

Jawad
0 Helpful
Customers Also Viewed These Support Documents