Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up NAT

Status
Not open for further replies.
demoniac

demoniac

Programmer
Jun 14, 2001
63
US
Hello. I just finished setting up a site to site VPN with another company. However we're only allowing a single IP to pass through the tunnel so I need to setup an overloaded NAT to be able to let all the computers necessary pass through.

My setup is a bit strange. We have a frame relay so my Serial 0/0 interface has an IP. Then my ethernet 0/0 has the actual IP of the router on the internet. Then I want to setup ethernet 0/1 to be the local interface.

So my config should look roughly like this (example IP's...), I thought, but I can't make it work :


interface FastEthernet0/0
ip address 208.56.147.1 255.255.255.0
ip nat outside
...

interface FastEthernet0/1
ip address 10.0.0.17 255.255.248.0
ip nat inside

ip nat pool vpnpool 208.56.147.190 208.56.147.190 prefix-length 24
ip nat inside source list 2 pool vpnpool overload

access-list 2 permit 10.0.0.0 0.0.0.100


And then the access-list for the actual VPN only permits 208.56.147.190 to pass through the VPN. I thought with the above config it would setup a pool, 'vpnpool', with only 208.56.147.190. Then the overload would allow multiple inside ip's to use the single outside ip. And with access-list 2 I should be allowing 10.0.0.0 through 10.0.0.100 to use that nat, correct? But I've tried it from several 10.0.0.x IP's within that range and it just won't work.

What am I missing here? Any help would be greatly appreciated...

Thanks,
Richard
 
Sort by date Sort by votes
I don't think this applies to me since I'm doing the NAT before the end point of the IPSEC tunnel. So the packet's going out and is translated from an RFC 1918 address to a public address. The public address is the allowed address through the tunnel, which is still before the endpoint. The endpoint is actually the address on my serial port.

I can see the IPSEC and NAT mixture causing a problem if I had my endpoint on the inside and then had to NAT that address, but I'm doing it exactly opposite of that which shouldn't cause a problem.
 
Upvote 0 Downvote

actually the wildcard mask in acl 2 is incorrect

is all of this, including the crypto maps configured on this same router?

if so then the traffic will only be NAT'd when it goes out int FastEth.

you should post the router config



 
Upvote 0 Downvote
I thought with the wildcard mask set like that it would only allow 10.0.0.1 through 10.0.0.100 to be nat'd? Here's the configuration as I have it :

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
!
logging buffered 4096 debugging
!
!
memory-size iomem 25
ip subnet-zero
ip name-server 63.140.240.35
ip name-server 63.140.240.36
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
!
crypto isakmp key <preshared key> address <peer address>
!
crypto ipsec transform-set 3DESSHA_set esp-3des esp-sha-hmac
!
crypto map BrokenVPN 2 ipsec-isakmp
description <VPNThatDoesn'tWork>
set peer <peer address>
set transform-set 3DESSHA_set
match address 102
!
interface FastEthernet0/0
ip address <router's internet IP> 255.255.255.0
no ip directed-broadcast
ip accounting output-packets
duplex auto
speed auto
!
interface Serial0/0
ip address <removed> 255.255.255.252
no ip directed-broadcast
ip accounting output-packets
ip nat outside
encapsulation frame-relay IETF
service-module t1 timeslots 1-24
frame-relay map ip <removed> 16 IETF
frame-relay lmi-type ansi
crypto map BrokenVPN
!
interface FastEthernet0/1
ip address 10.0.0.17 255.255.248.0
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
ip nat pool BrokenPool 208.56.147.190 208.56.147.190 prefix-length 24
ip nat inside source list 2 pool BrokenPool overload
ip classless
ip route 0.0.0.0 0.0.0.0 <serial IP>
no ip http server
!
access-list 2 permit any
access-list 102 permit ip host 208.56.147.290 host <peer address>
access-list 102 permit ip host 208.56.147.290 host <another peer address>
!
line con 0
exec-timeout 0 0
password ws!health
login
transport input none
line aux 0
line vty 0 4
password ws!health
login
!
no scheduler allocate
end


I changed ACL 2 to just permit anything for now but I'm still having no luck with it...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
103
bfordz
bfordz
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto
msk69
  • Locked
  • Question
CISCO 7942 Phone Upgrading to SIP
Replies
0
Views
91
msk69
msk69
Delta5
  • Locked
  • Question
Cisco setting for automatic ip arp cache refresh
Replies
3
Views
321
iggsterman
iggsterman
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
125
Geraldine Souza
Geraldine Souza

Part and Inventory Search

Sponsor

Back
Top