1. Home
  2. Cisco Systems
  3. NAT Access Question

NAT Access Question

I am trying to setup a Hub->spoke VPN configuration, where all of my branch locations route all traffic through an IPSEC tunnel to a central router, which then routes to internet(or other branches).

I have no issue getting the IPSEC tunnels setup. My issue is when one of my branch offices wants to access the internet, I can't figure out why NAT isn't working from the central router:

I'd post both configs here, but currently I've got them back to running normal with individual NAT at each router to the internet.

Normally this would be the ideal config, except we're wanting to monitor internet use from a central device, and to do that efficiently we'd like to push all branch office traffic to the central office, where it will push authorized internet traffic out.

Obligatory ASCII diagram

PC1(Branch office, 192.168.10.25)---Cisco1(192.168.10.1/24 and

12.178.243.A/29)---IPSEC TUNNEL

IPSEC TUNNEL---Cisco2(12.191.90.B/27 and 192.168.1.220/24)

Cisco2's default gateway is 12.191.90.X, where X is the router in that subnet. If I make it 192.168.1.14(my LAN gateway) IPSEC breaks.

Any Help?

Reply to
jrmann1999
Loading thread data ...

You may wish to investigate:

IPSec NAT Transparency

formatting link
The IPSec NAT Transparency feature addresses many known incompatabilites between NAT and IPSec.

Sincerely,

Brad Reese

formatting link

Reply to
www.BradReese.Com

tunnel over nat. My tunnels are established, both ends have full public IP addresses. I just need one endpoint to use another for it's default gateway, and get Natted going to the internet.

Reply to
jrmann1999

I'm not quite clear on what you're trying to do if I'm honest, but if you change the default route on Cisco2 to go to a local LAN address, then presumably you have added a route for 12.178.243.A/29 to go via

12.191.90.X so the IPSec peer is reachable still?

Also, when you want the branch office to access the Internet from the CO, is the Internet gateway at the CO the router that terminates the ISPec tunnel between the two? If it is, I don't see a way of doing the NAT as it will go in & out from the same 'outside' interface.

Wouldn't it be neater to setup a Linux box running squid (or insert your favourite OS/proxy here) at the CO and force the branch to use that instead....?

Just my thoughts before I head off for some seasonal debauchery :o)

Reply to
Al

Forgot to say - you'd probably be looking at creating a GRE tunnel protected by the IPSec VPN to put a default route through from the branch to the CO if you're going down that path....

Reply to
Al

Cisco2 is the central router, right? Why are you changing its default route?

You need to change the default route on Cisco1 to point to the tunnel. To allow IPSEC to work, you then need a more specific route for Cisco2's public address that points to the WAN link.

Reply to
Barry Margolin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.