NAT interesting traffic with IPSEC L2L How do I NAT interesting traffic going through a L2L tunnel? The NAT'ing happens on the same router that it the L2L tunnel terminates on. Below is the config for the two routers. I have an ISP in between, but everything is routing and working correctly w/o the NAT. Once I enable the NAT, my tunnel breaks. All other traffic needs to PAT to an interface, I have a NAT exemption, for the LAN of the L2L, and built a separate SNAT for the VPN L2L traffic.
ROUTER1 >>>>> ISP <<<<<< ROUTER2
PAT 10.200.0.0/16 OVERLOAD w/exception of 10.200.10.10 (that's the server that is considered interesting traffic to the tunnel)
SNAT 10.200.10.10 to 10.200.10.100
I removed all unnecessary configs such as routing and the server on corp network, as the tunnel works w/o the NAT, but fails w/the NAT.
hostname VENDOR
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key cisco address 1.100.50.1
crypto ipsec transform-set VENDOR2 ah-md5-hmac esp-3des esp-md5-hmac
mode tunnel
crypto map VENDOR 10 ipsec-isakmp
description VENDOR2
set peer 1.100.50.1
set security-association dummy pps 20
set transform-set VENDOR2
set pfs group24
match address 100
interface Ethernet2/1
description VPN PEER
ip address 192.168.118.2 255.255.255.252
duplex full
interface Ethernet2/2
description ISP
ip address 1.100.118.1 255.255.255.252
duplex full
crypto map VENDOR
ip route 0.0.0.0 0.0.0.0 Ethernet2/2 1.100.118.2
access-list 100 permit ip host 50.50.50.50 host 10.200.10.10
access-list 100 permit ip host 50.50.50.50 host 10.200.10.100 log-input
access-list 103 permit ip any host 50.50.50.50 log-input
object-group network Local-LAN
object-group network VPN-LAN
description NAT'd
host 10.200.10.100
host 10.200.10.10
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
crypto isakmp key cisco address 1.100.118.1
crypto ipsec transform-set VENDOR2 ah-md5-hmac esp-3des esp-md5-hmac
mode tunnel
crypto map VENDOR 10 ipsec-isakmp
description VENDOR2
set peer 1.100.118.1
set security-association dummy pps 20
set transform-set VENDOR2
set pfs group24
match address 100
interface Ethernet2/0
description CORP
ip address 10.200.50.2 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex full
interface Ethernet2/5
description ISP
ip address 1.100.50.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
crypto map VENDOR
ip nat Stateful id 100
ip nat inside source list 10 interface Ethernet2/5 overload
ip nat inside source static network 10.200.10.10 10.200.10.100 /32 no-alias
ip route 10.200.10.100 255.255.255.255 Null0
access-list 1 permit 10.200.10.10
access-list 10 deny 10.200.10.10
access-list 10 permit 10.200.0.0 0.0.255.255 log
access-list 100 remark IPSEC
access-list 100 permit ip object-group VPN-LAN host 50.50.50.50 log-input
No comments:
Post a Comment