05-13-2008 02:33 AM - edited 02-21-2020 03:43 PM
Hello,
I have established site-to-site connection but my client has informed me that our internal IP address is conflicting with their network's internal IP address. so now they want me to create NAT policy so I can send IP address 192.168.18.2 on to the VPN and they can access my server. My server IP address is 192.168.16.2. (192.168.16.2 IP address is conflicting with their internal lan IP).
I am not sure how do I write NAT policy.
Pls find the following configuration:
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key abc address 203.x.x.248
crypto ipsec transform-set compname esp-aes 256 esp-md5-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 203.33.102.248
set peer 203.33.102.248
set security-association lifetime seconds 86400
set transform-set compname
set pfs group2
match address 100
access-list 100 permit ip host 192.168.16.2 host 172.16.241.31
Pls let me know how would I write NAT policy so that I can send host IP 192.168.18.2 and they can access my server data which is on IP 192.168.16.2.
Reminding you again that my client has got other range on their network which is 192.168.16.x/24.
Your quick help will be much more appreciated.
THanks,
05-13-2008 02:48 AM
static (inside,outside) 192.168.18.2 192.168.16.2 netmask 255.255.255.255
(assuming 192.168.16.2 is reachable via the inside interface ).
access-list 100 permit ip host 192.168.18.2 host 172.16.241.31
Jon
05-13-2008 03:56 AM
sorry, I forgot to mention that I'm using cisco 871.
static command does not seem to be working on cisco 871 router...
if you have any other idea then please let me know.
THanks.
05-13-2008 03:58 AM
ip nat inside source static 192.168.16.2 192.168.18.2
Then you need "ip nat inside" under the interface connecting to your 192.168.16.x network and "ip nat outside" on the outside interface.
Jon
05-13-2008 04:08 AM
Hi John,
I'm afraid cos one of my colleague has configured couple of PAT rule on this CISO 871 router... please check following PAT rule:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.2 21 58.x.x.x 21 extendable
ip nat inside source static tcp 192.168.16.2 22 58.x.x.x 22 extendable
I wonder that does it cause any problem if I write your given nat rule which is :
ip nat inside source static 192.168.16.2 192.168.18.2
and also confirming with you that I will write down your given access list too which is :
access-list 100 permit ip host 192.168.18.2 host 172.16.241.31
05-13-2008 04:38 AM
Yes this will create a problem. You will need to use a route-map to only NAT 192.168.16.2 to 192.16.18.2 when the source ip address is 172.16.241.31.
Yes you need to use the Natted IP address in your crypto access-list.
Jon
05-13-2008 04:56 AM
I'm not sure what do you mean and how would I do it.
Your help will be much more appreciated...
thanks.
Here is my external interface config:
interface FastEthernet4
ip address 58.x.x.x 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
==============================
Here is my internal interface config.
interface Vlan1
ip address 192.168.16.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
================================
here is my NAT rules:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.2 21 58.x.x.x 21 extendable
ip nat inside source static tcp 192.168.16.2 22 58.x.x.x 22 extendable
ip nat inside source static tcp 192.168.16.2 25 58.x.x.x 25 extendable
ip nat inside source static tcp 192.168.16.2 80 58.x.x.x 80 extendable
ip nat inside source static tcp 192.168.16.2 110 58.x.x.x 110 extendable
ip nat inside source static tcp 192.168.16.2 143 58.x.x.x 143 extendable
ip nat inside source static tcp 192.168.16.2 443 58.x.x.x 443 extendable
ip nat inside source static tcp 192.168.16.2 1723 58.x.x.x 1723 extendable
ip nat inside source static tcp 192.168.16.2 3389 58.x.x.x 3389 extendable
ip nat inside source static tcp 192.168.16.35 10000 58.x.x.x 10000 extendable
now if you could tell me that what would you like me to configure...please...
thanks
05-13-2008 02:17 PM
HI,
Is there someone who can help me out with NAT policy to establish site-to-site VPN connection.
Thanks,
05-13-2008 05:00 PM
Hi,
If anyone know how to fix this issue, please let me know so I can resolve my issue...
Its quite urgent to resolve this issue.
THanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide