[c-nsp] Cisco VPN w/ IPsec and NAT

Bryan bryan at tec-works.com
Fri Sep 17 00:55:54 EDT 2004


So I have the need (long story), to setup and IPSEC VPN tunnel into
another network to which I have no visibility.  It will be using SHA and
pre-shared keys, pretty standard.  The problem is, I need the vpn to route
7 non-contiguous subnets to which the far end router is connected AND need
to have the VPN tunnel appear to be coming from 1 ip address for all 7
networks, so NAT is needed.  Yes, we realise that this will be stricly a 1
way tunnel.

so... I guess my question is, can I use the Tunnel interface as a nat
outside and then add some policy or static routes to route the traffic to
it.


Visible NAT IP: 10.96.103.68

Far end Networks: 10.174.2.0
                  10.174.58.0
                  10.24.16.0
                  10.96.31.0
                  10.207.10.0
                  10.207.58.0
                  10.207.72.0


crypto isakmp policy 1
hash sha
authentication pre-share
crypto isakmp key cisco123 address <far end pub ip>

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap isakmp
set peer <far end pub ip>
set transform-set myset

match address 101


I'm at a loss for how to get the nat going over the ipsec tunnel.


Thanks in advance,


Bryan





More information about the cisco-nsp mailing list