1. Home
  2. Cisco Systems
  3. Double tunnel and NAT - your suggestions.

Double tunnel and NAT - your suggestions.

I have a 837 and on it I built 2 kinds of tunnels:

1) one to headquarter; 2) VPNclients to access a server behind eth0.

I would that VPN clients have access to hq resources.

I studied 2 solutions but each one has its pros and contros, one has to be more clearly developed:

1) I assigned to VPNclients a pool belonging to the LAN being behind the router. I mean 192.168.150.232-239 of 192.168.150/24 It works fine both to machines behind the eth0 and to headquarter;but it bworks only because of the router has proxyARP enabled on eth0; 2) I assigned a pool completely different (192.168.160.232-239) but now I dont' know how to NAT them when packets must reach the head quarters. Keep in mind I can not change IPsec settings on device at the HQ so for it I must "produce" packets coming from the LAN behind the eth0. So how to do NAT coming from one interface (dialer in this case) and going out from the same? Do you think that using loopback interfaces and route-maps could help me?Perhpas more than one?

Thanks Alex.

Reply to
AM
Loading thread data ...

For the 2nd case, for accessing to the internal network ( HQ in this case ) why do you have to use NAT ? In my opinion, exclude this pool

192.168.160.232-39 from that NAT rules, on both your router and the HQ router, and set up the ACL to allow this pool to access to where it is supposed to.

DT

Reply to
dt1649651

Thanks dt,

but I wouldn't do that because I've already set up the VPN between the spoke router and the HQ. The "problem" is traffic allowed to be protected. As I have 40 tunnels like that I'd prefer to solve the problem locally on the router without adding the range 192.168.16.232-239 to the tunnel. Moreover the way you specified force me to assign different pool for each router and for each tunnel. Moreover I must double ACL on the PIX to access HQ resources (even if I could use groups on it). Again I would use a numbering easy to remember and choosing a pool belonging to the LAN behind the router ought to help me debugging access to HQ: the VPNclient would remain the same, I'd have only to change the NAT statement and not to run behind ACLs.

Alex

Reply to
AM

Hello...

The problem you're having is the "next step" in a architecture that i'm trying to configure, but you've already figured out how to make VPN client traffic turn around at the router and head off to HQ in your other tunnel. would you mind posting your config?

It'd be a great help to many of us, i suspect, who are not IOS engineers, but know just enough to be frustrated! :)

Thanks in advance.

--matt

Reply to
matt

Just use a pool, belonging to the LAN behind the router, for VPN client and you're done. Be sure to have proxyARP feature enabled on your router. Moreover put static routes to tell the router that that pool is connected to WAN interface.

Alex.

Reply to
AM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.