[VPN] Cisco VPN before NAT Mar 13 2007 11:11AM
VPN user (list vpn shmoo centerpoint be)

I have the following problem, and can't seem to find a solution.

I have 2 Cisco routers, A and B with a VPN connection. Both routers
have a serial interface pointing to external and an ethernet interface
(Lets call them A and B) pointing to the inside.

Traffic between subnet A and B is NOT NATed and the VPN works fine.

Now, router B has a second ethernet interface (C), to subnet C.

I added this subnet to the IPSEC ACLS on both routers as I want to
allow subnet A to access subnet C through the VPN.
The tunnel is up and running with no NAT being done.

However, on router B, access from subnet B to C is NATed:

Interface B
ip nat inside
Interface C
ip nat outside
ip nat inside source route-map NAT interface C overload
route-map NAT permit 10
match ip address 123
access-list 123 permit ip SUBNET_B SUBNET_C

So far so good. Now the problem:
How can I NAT traffic from subnet A to subnet C?

I tried adding
access-list 123 permit ip SUBNET_A SUBNET_C
but this doesn't help as traffic coming out of the VPN seems not to be
affected by the NAT rule, probably because it is not considered coming
from an interface with "ip nat inside".

Is there a way of doing this without using tunnel interfaces?

Thanks in advance.

VPN mailing list
VPN (at) lists.shmoo (dot) com [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus