Hello,
Can you NAT a site-to-site VPN?
I have a Cisco 877 which I have been using for internet access. My internal network 10.10.10.0/24 is hidden behind the router's static external IP address using NAT.
Now I am trying to set up a VPN to another company, Their firewall is
199.99.99.99. Within their network I need to access computers in subnet 177.77.77.0/24I set up the VPN using Cisco Security Device Manager (SDM) - This changed my NAT rule to use route-map so that the NAT and VPN would not conflict, This means that my internal addresses are not hidden from the other end of the VPN, they see 10.10.10.x as the source address
ip nat inside source list 1 interface Dialer0 overload became ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload route map SDM_RMAP_1 permit 1 match ip address 103 access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 permit ip 10.10.10.0 0.0.0.255 any
However the other company cannot route my 10.10.10.x address within their internal networks because it conflicts with addresses they are using.
I tried deleting access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 in the hope that this would cause it to NAT my traffic inside the VPN but it didn't seem to help.
Can I amend my configuration so that my internal addresses are translated to something they can use? Can I reinstate NAT for the VPN somehow so that the other end sees my traffic as having the IOP-address of the external interface of my router?
Partial config follows
! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key zzzzzzzzzzz address 199.99.99.99 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer 199.99.99.99 set transform-set ESP-3DES-SHA match address 102 ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 10.10.10.254 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 ip address negotiated ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxx ppp chap password 7 xxxxxxxxxxxxxx crypto map SDM_CMAP_1 ! ip local pool vpn-pool 10.10.10.60 10.10.10.69 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip nat inside source static tcp 10.10.10.6 7627 interface Dialer0 3317 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark SDM_ACL Category=17 access-list 101 remark IPSec Rule access-list 101 permit ip 172.29.35.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 permit udp host 199.99.99.99 any eq non500-isakmp access-list 101 permit udp host 199.99.99.99 any eq isakmp access-list 101 permit esp host 199.99.99.99 any access-list 101 permit ahp host 199.99.99.99 any access-list 101 deny ip 10.10.10.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any access-list 101 deny ip 10.10.10.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 remark SDM_ACL Category=2 access-list 103 remark IPSec Rule access-list 103 deny ip 10.10.10.0 0.0.0.255 177.77.77.0 0.0.0.255 access-list 103 permit ip 10.10.10.0 0.0.0.255 any access-list 106 permit ip 10.10.10.0 0.0.0.255 any access-list 106 permit tcp any any eq 22 access-list 106 deny ip any any dialer-list 1 protocol ip permit no cdp run route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! end