[c-nsp] Re: Cisco VPN w/ IPsec and NAT

Bryan bryan at tec-works.com
Fri Sep 17 01:04:08 EDT 2004


Sorry, it's late, forgot to mention that the private interface that needs
to be seen by the distant end is a single host ip given by the distant end
so it isn't on my network at all.

FE0/0
ip address 1.1.1.1

FE0/1
ip address 192.168.101.0/24

would a tunnel interface be in order?



>
> So I have the need (long story), to setup and IPSEC VPN tunnel into
> another network to which I have no visibility.  It will be using SHA and
> pre-shared keys, pretty standard.  The problem is, I need the vpn to route
> 7 non-contiguous subnets to which the far end router is connected AND need
> to have the VPN tunnel appear to be coming from 1 ip address for all 7
> networks, so NAT is needed.  Yes, we realise that this will be stricly a 1
> way tunnel.
>
> so... I guess my question is, can I use the Tunnel interface as a nat
> outside and then add some policy or static routes to route the traffic to
> it.
>
>
> Visible NAT IP: 10.96.103.68
>
> Far end Networks: 10.174.2.0
>                   10.174.58.0
>                   10.24.16.0
>                   10.96.31.0
>                   10.207.10.0
>                   10.207.58.0
>                   10.207.72.0
>
>
> crypto isakmp policy 1
> hash sha
> authentication pre-share
> crypto isakmp key cisco123 address <far end pub ip>
>
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
>
> crypto map mymap isakmp
> set peer <far end pub ip>
> set transform-set myset
>
> match address 101
>
>
> I'm at a loss for how to get the nat going over the ipsec tunnel.
>
>
> Thanks in advance,
>
>
> Bryan
>
>
>
>


More information about the cisco-nsp mailing list