cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
735
Views
0
Helpful
8
Replies

site-to-site VPN connection

pannu3679
Level 1
Level 1

Hello,

I have established site-to-site connection but my client has informed me that our internal IP address is conflicting with their network's internal IP address. so now they want me to create NAT policy so I can send IP address 192.168.18.2 on to the VPN and they can access my server. My server IP address is 192.168.16.2. (192.168.16.2 IP address is conflicting with their internal lan IP).

I am not sure how do I write NAT policy.

Pls find the following configuration:

crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp key abc address 203.x.x.248

crypto ipsec transform-set compname esp-aes 256 esp-md5-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 203.33.102.248

set peer 203.33.102.248

set security-association lifetime seconds 86400

set transform-set compname

set pfs group2

match address 100

access-list 100 permit ip host 192.168.16.2 host 172.16.241.31

Pls let me know how would I write NAT policy so that I can send host IP 192.168.18.2 and they can access my server data which is on IP 192.168.16.2.

Reminding you again that my client has got other range on their network which is 192.168.16.x/24.

Your quick help will be much more appreciated.

THanks,

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

static (inside,outside) 192.168.18.2 192.168.16.2 netmask 255.255.255.255

(assuming 192.168.16.2 is reachable via the inside interface ).

access-list 100 permit ip host 192.168.18.2 host 172.16.241.31

Jon

sorry, I forgot to mention that I'm using cisco 871.

static command does not seem to be working on cisco 871 router...

if you have any other idea then please let me know.

THanks.

ip nat inside source static 192.168.16.2 192.168.18.2

Then you need "ip nat inside" under the interface connecting to your 192.168.16.x network and "ip nat outside" on the outside interface.

Jon

Hi John,

I'm afraid cos one of my colleague has configured couple of PAT rule on this CISO 871 router... please check following PAT rule:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.16.2 21 58.x.x.x 21 extendable

ip nat inside source static tcp 192.168.16.2 22 58.x.x.x 22 extendable

I wonder that does it cause any problem if I write your given nat rule which is :

ip nat inside source static 192.168.16.2 192.168.18.2

and also confirming with you that I will write down your given access list too which is :

access-list 100 permit ip host 192.168.18.2 host 172.16.241.31

Yes this will create a problem. You will need to use a route-map to only NAT 192.168.16.2 to 192.16.18.2 when the source ip address is 172.16.241.31.

Yes you need to use the Natted IP address in your crypto access-list.

Jon

I'm not sure what do you mean and how would I do it.

Your help will be much more appreciated...

thanks.

Here is my external interface config:

interface FastEthernet4

ip address 58.x.x.x 255.255.255.252

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

==============================

Here is my internal interface config.

interface Vlan1

ip address 192.168.16.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

================================

here is my NAT rules:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.16.2 21 58.x.x.x 21 extendable

ip nat inside source static tcp 192.168.16.2 22 58.x.x.x 22 extendable

ip nat inside source static tcp 192.168.16.2 25 58.x.x.x 25 extendable

ip nat inside source static tcp 192.168.16.2 80 58.x.x.x 80 extendable

ip nat inside source static tcp 192.168.16.2 110 58.x.x.x 110 extendable

ip nat inside source static tcp 192.168.16.2 143 58.x.x.x 143 extendable

ip nat inside source static tcp 192.168.16.2 443 58.x.x.x 443 extendable

ip nat inside source static tcp 192.168.16.2 1723 58.x.x.x 1723 extendable

ip nat inside source static tcp 192.168.16.2 3389 58.x.x.x 3389 extendable

ip nat inside source static tcp 192.168.16.35 10000 58.x.x.x 10000 extendable

now if you could tell me that what would you like me to configure...please...

thanks

HI,

Is there someone who can help me out with NAT policy to establish site-to-site VPN connection.

Thanks,

Hi,

If anyone know how to fix this issue, please let me know so I can resolve my issue...

Its quite urgent to resolve this issue.

THanks,