2 Replies Latest reply on Nov 7, 2013 8:33 AM by noor

    NAT config with VPN

    fnbisson New Member

      Hi,

       

      I now there are already some discussions for this topic but I still have some trouble to establish my VPN connection. I also already look at the NAT pool in AOS.

       

      I need to establish a VPN connection from my office to a customer office. He gives me the subnet I need to use from my side and his side. The subnet he gives me is not the same as my local subnet. So I need to use NAT. There is my network setup.

       

      My office

      LAN 192.168.100.0 /24 ---> should be 10.154.135.0 /24 connecting to 10.120.134.0 /24

       

      There is my config.

       

      ip crypto

      !

      crypto ike policy 100

        initiate main

        respond anymode

        local-id address 10.154.135.25

        peer X.X.X.X

        attribute 1

          encryption aes-256-cbc

          authentication pre-share

          group 2

          lifetime 86400

      !

      crypto ike remote-id address 10.120.134.1 preshared-key blablabla ike-policy 100 crypto map VPN 10 no-mode-config no-xauth

      !

      crypto ipsec transform-set esp-aes-256-cbc-esp-sha-hmac esp-aes-256-cbc esp-sha-hmac

        mode tunnel

      !

      crypto map VPN 10 ipsec-ike

        description Tunnel

        match address VPN-10-vpn-selectors

        set peer X.X.X.X

        set transform-set esp-aes-256-cbc-esp-sha-hmac

        set security-association lifetime seconds 86400

        set pfs group2

        ike-policy 100

      !

      no ethernet cfm

      !

      interface loop 1

        ip address  10.154.135.25  255.255.255.0

        ip address range  10.154.135.1  10.154.135.24  255.255.255.0  secondary

        ip address range  10.154.135.26  10.154.135.254  255.255.255.0  secondary

        no shutdown

      !

      interface eth 0/1

        ip address dhcp

        ip access-policy Public

        crypto map VPN

        no shutdown

      !

      interface eth 0/2

        encapsulation 802.1q

        no shutdown

      !

      interface eth 0/2.20

        vlan-id 20 native

        ip address  192.168.100.25  255.255.255.0

        ip access-policy Private

        no shutdown

      !

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      ip access-list extended inside

        permit ip 192.168.100.0 0.0.0.255  10.120.134.0 0.0.0.255  

      !     

      ip access-list extended outside

        permit ip 10.120.134.0 0.0.0.255  10.154.135.0 0.0.0.255  

      !

      ip access-list extended self

        remark Traffic to NetVanta

        permit ip any  any     log

      !

      ip access-list extended VPN-10-vpn-selectors

        permit ip 10.154.135.0 0.0.0.255  10.120.134.0 0.0.0.255  

      !

      ip nat pool pool1 static

        local 192.168.100.1 192.168.100.254 global 10.154.135.1 10.154.135.254

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface eth 0/1 overload

        nat source list inside pool pool1 policy Public

      !

      ip policy-class Public

        nat destination list outside pool pool1

        • Re: NAT config with VPN
          levi Employee

          fnbisson:

           

          It appears you opened a ticket with ADTRAN Technical Support for assistance with this topic.  When you get a chance, will you please reply with the outcome?  Also, example two on page 8 of the Configuring NAT Pools in AOS explains the NAT over VPN application and provides an example configuration.

           

          Levi

            • Re: NAT config with VPN
              Employee

              fnbisson -

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


              Thanks,

              Noor