cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1664
Views
5
Helpful
8
Replies
chaserf9e
Beginner

VPN IPSec and NAT

So I need any ideas on best way to achieve this, i can think of a few but don't know which will be best. here goes

I have a local network of 10.9.0.0/20 and need to create a bidirectional IPSec tunnel to a client site, they want me to present to them a 172.16.17.0/24 address over the IPSec, my thinking for ease is going to be to create the tunnel with the local and remote network above then create a dynamic NAT pool (many to many) that will translate any 10.9.0.0 address to a 172.16.17.0 address. is there any better way to do this ?

thanks in advance 

 

8 REPLIES 8
Eugene Khabarov
Rising star

If I understood your question correctly than my solution will be to create SVTI (ipsec virtual tunnel interface), configure it with "ip nat outside" and then translate  10.9.0.0/20 to the nat pool 172.16.17.0/24. It seems an easy task

so the issue is that i have to send the IP from site 1 to site 2 as 172.16.17.0/24 over the ipsec. i have no access to site 2 or any of it's equipment (it is at a client) from what i know i could do it using SVTI but wouldnt the other site (site 2) need a 172.16.17.0/25 address. the only thing they have set or can set is a  remote network of 172.16.17.0/24

Abaji Rawool
Participant

Here is example, which might help you but you need to make sure you have the matching subnet (for bidirectional - one to one mapping)

Configure the NAT.  Source address range of 10.9.0.0 / 24 and destinations of remote subnet (example 10.10.0.0/24)


access-list 101 permit ip 10.9.0.0 0.0.0.255 10.10.0.0 0.0.0.255

Create a route-map called 'static-nat' and match traffic to ACL 101:
route-map static-nat
  match ip address 101

Create a NAT-POOL for the public IP address (or range) you want to use to NAT to.  In this case, Im NAT'ing to 172.16.17.0:


ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask 255.255.255.0

Create a NAT rule to use the route-map 'static-nat'.  Upon a match to ACL 101, NAT that traffic to one of the NAT-POOL addresses:


ip nat inside source route-map static-nat pool NAT-POOL Overload

Once you have configured the NAT you need to modify the interesting traffic.  You need your 'interesting traffic' 


access-list 121 permit ip 172.16.17.0 0.0.0.255 10.10.0.0 0.0.0.255


Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map VPN 5 ipsec-isakmp
 set peer <peer ip>
 set transform-set <transform set>
 match address 121


Apply the crypto map to the public interface and NAT on the public side:


interface GigabitEthernet0/0
 ip nat outside
crypto map VPN

Configure the inside interface NAT on internal side:


interface GigabitEthernet0/1
 ip address 10.9.0.0 255.255.255.0
 ip nat inside

 

HTH

thanks for your reply when trying this on the ASA i get invalid input as below

 

ASA5510-02(config)# ip nat pool NAT-POOL 172.16.17.1 172.16.17.254 netmask /24
                        ^
ERROR: % Invalid input detected at '^' marker.

Can you please tell which ASA software version you are using, as NAT configuration have different syntax on version 8.3 and below versions.

it is 9.1.5

For doing one to one NAT, make sure your real subnet and NATTED subnet mask must be same..

You need to configure Manual NAT statement on your firewall.For example:

1. First create network objects, refer them in NAT statement.

Object network obj-10.9.0.0

subnet 10.9.0.0 255.255.255.0

Object network obj-172.16.17.0

subnet 172.16.17.0 255.255.255.0

Object network destination_network

subnet x.x.x.x x.x.x.x

nat(inside,outside) source static obj-10.9.0.0 obj-172.16.17.0 destination static destination_network destination_network

2. Now define the interesting traffic using the source as natted ip.

access-list new ext permit ip 172.16.17.0 255.255.255.0 x.x.x.x x.x.x.x

3. Refer this access-list in crypto map configured for the peer.

 

HTH

Please do rate useful posts

Hi,

I provided the configuration, assuming it is a IOS Router. For ASA you need to have policy based NAT.

You can refer this thread for similar example: https://supportforums.cisco.com/discussion/11128851/policy-based-nat-asa-841

 

Regards,

Abaji.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (40%)

Content for Community-Ad