After VPN NAT

Hello

I have the following problem and can't seem to find a solution.

I have 2 routers Cisco, A and B with a VPN connection. Two routers have a serial number

interface pointing outside and an ethernet interface (allows to call the A and B)

pointing to the inside.

Traffic between Subnet A and B is NOT coordinated and VPN works great.

Now router B has a second ethernet (C), subnet C interface.

I added this subnet to the IPSEC ACLS on both routers as I want to allow A subnet

access subnet C via the VPN.

The tunnel is running with no NAT is done.

However, the B, B and C subnet access router is using a NAT:

Interface B

IP nat inside

The C interface

NAT outside IP

IP nat inside source overload map route NAT interface C

route NAT allowed 10 map

corresponds to the IP 123

access-list 123 allow ip SUBNET_B SUBNET_C

So far so good. Now the problem:

How can I NAT traffic from subnet to subnet A C?

I tried to add

access-list 123 allow ip SUBNET_A SUBNET_C

but it does not help that the outbound VPN seems to not be affected by the

NAT rule, probably because it is not considered as coming from an interface with ip nat «»

inside. "

Is there a way to do this without using the tunnel interfaces?

Thanks in advance,

If I understand you correctly, you want traffic from subnet A reach router B, deciphering, NATted interface B and thten routed to interface C.

Please correct me if I'm wrong.

You can use ACB (routing based on the policy) for this.

Create an ACL to identify traffic:

access-list 101 permit ip subnet A subnet C

Create a loop:

Loopback int 1

IP 1.1.1.1 255.255.255.252

IP nat inside

output

Create a road map to route traffic after its decrypted.

pol_nat allowed 10 route map

corresponds to the IP 101

set ip next-hop 1.1.1.2

output

Apply the road map to your WAN interface:

int 0 series

IP policy route map pol_nat

output

In this way, traffic is first decrypted and is routed to the loopback, which has a 'ip nat inside' applied, then it will be routed to the subnet C after being natted with your NAT rule.

* Please rate if this can help.

-Kanishka

Tags: Cisco Security

Similar Questions

Site to Site VPN of IOS - impossible route after VPN + NAT

Hello

I have problems with a VPN on 2 routers access 8xx: I am trying to set up a quick and dirty VPN Site to Site with a source NAT VPN tunnel endpoint. This configuration is only intended to run from one day only inter. I managed to do the work of VPN and I traced the translations of NAT VPN tunnel endpoint, but I couldn't make these translated packages which must move outside the access router, because intended to be VPN traffic network is not directly connected to leave the router. However, I can ping the hosts directly connected to the router for access through the VPN.

Something done routing not to work, I don't think the NATing, because I tried to remove the NAT and I couldn't follow all outgoing packets that must be sent, so I suspect this feature is not included in the IOS of the range of routers Cisco 8xx.

I'm that extends the features VPN + NAT + routing too, or is there a configuration error in my setup?

This is the configuration on the router from Cisco 8xx (I provided only the VPN endpoint, as the works of VPN endpoint)

VPN endpoints: 10.20.1.2 and 10.10.1.2

routing to 192.168.2.0 is necessary to 192.168.1.2 to 192.168.1.254

From 172.31.0.x to 192.168.1.x

!

version 12.4

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname INSIDEVPN

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxx

!

No aaa new-model

!

!

dot11 syslog

no ip cef

!

!

!

!

IP domain name xxxx.xxxx

!

Authenticated MultiLink bundle-name Panel

!

!

username root password 7 xxxxxxxxxxxxxx

!

!

crypto ISAKMP policy 10

BA 3des

preshared authentication

ISAKMP crypto key address 10.20.1.2 xxxxxxxxxxxxx

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac VPN-TRANSFORMATIONS

!

CRYPTOMAP 10 ipsec-isakmp crypto map

defined by peer 10.20.1.2

game of transformation-VPN-TRANSFORMATIONS

match address 100

!

Archives

The config log

hidekeys

!

!

LAN controller 0

line-run cpe

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

!

interface FastEthernet0

switchport access vlan 12

No cdp enable

card crypto CRYPTOMAP

!

interface FastEthernet1

switchport access vlan 2

No cdp enable

!

interface FastEthernet2

switchport access vlan 2

No cdp enable

!

interface FastEthernet3

switchport access vlan 2

No cdp enable

!

interface Vlan1

no ip address

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

NAT outside IP

IP virtual-reassembly

!

interface Vlan12

10.10.1.2 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly

card crypto CRYPTOMAP

!

IP forward-Protocol ND

IP route 192.168.2.0 255.255.255.0 192.168.1.254

IP route 10.20.0.0 255.255.0.0 10.10.1.254

Route IP 172.31.0.0 255.255.0.0 Vlan12

!

!

no ip address of the http server

no ip http secure server

IP nat inside source static 172.31.0.2 192.168.1.11

IP nat inside source 172.31.0.3 static 192.168.1.12

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 172.31.0.0 0.0.255.255

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

password 7 xxxxxxxxx

opening of session

!

max-task-time 5000 Planner

end

Hi Jürgen,

First of all, when I went through your config, I saw these lines,

!

interface Vlan2

IP 192.168.1.1 255.255.255.248

!

!

IP route 192.168.2.0 255.255.255.0 192.168.1.254

!

With 255.255.255.248 192.168.1.1 and 192.168.1.254 subnet will fall to different subnets. So I don't think you can join 192.168.2.0/24 subnet to the local router at this point. I think you should fix that first.

Maybe have 192.168.1.2 255.255.255. 248 on the router connected (instead of 192.168.1.254)

Once this has been done. We will have to look at routing.

You are 172.31.0.2-> 192.168.1.11 natting

Now, in order for that to work, make sure that a source addresses (192.168.1.11) NAT is outside the subnet router to router connected (if you go with 192.168.1.0/29 subnet router to router, with 192.168.1.1/29 on the local router and 192.168.1.2/29 on the connected router as suggested, it will be fine). So in this case 192.168.1.8/29 to the subnet that your NAT would be sources fall.

Have a static route on the router connected (192.168.1.2) for the network 192.168.1.8/29 pointing 192.168.1.1,

!

IP route 192.168.1.8 255.255.255.248 192.168.1.1

!

If return packets will be correctly routed toward our local router.

If you have an interface on the connected rotuer which includes the NAT would be source address range, let's say 192.168.1.254/24, even if you do your packages reach somehow 192.168.2.0/24, the package return never goes to the local router (192.168.1.1) because the connected router sees it as a connected subnet, so it will only expire

I hope I understood your scenario. Pleae make changes and let me know how you went with it.

Also, please don't forget to rate this post so useful.

Shamal

Need help to configure VPN NAT traffic to ip address external pool ASA

Hello

I need to configure vpn NAT ip address traffic external pool ASA

For example.

Apart from the ip address is 1.1.1.10

VPN traffic must be nat to 1.1.1.11

If I try to configure policy nat or static nat ASA gives me error "global address of overlap with mask.

Please, help me to solve this problem.

Thank you best regards &,.

Ramanantsoa

Thank you, and since you are just 1 IP 1.1.1.11 Polo, the traffic can only be initiated from your site to the remote end.

Here is the configuration of NAT:

access list nat - vpn ip 192.168.1.0 allow 255.255.255.0 10.0.0.0 255.255.0.0

NAT (inside) 5 access list nat - vpn

Overall 5 1.1.1.11 (outside)

In addition, the ACL crypto for the tunnel from site to site should be as follows:

access-list allow 1.1.1.11 ip host 10.0.0.0 255.255.0.0

Hope that helps.

no nat over vpn after vpn

I have a site (my ASA) vpn to the site (provider) with a nat on the external interface device and work well. Rear (my ASA) VPN I have other site vpn (service A) for the site (my ASA) and work as well.

My problem is the traffic of my branch A provider is clearly have no nat.

My ASA

object-group network attached
object-network 192.168.1.0 255.255.255.0
object-group network provider
network-object 172.22.0.0 255.255.0.0
the allmyBranch object-group network
object-network 192.168.0.0 255.255.0.0

extended inside permit access list ip object-group reteInside-group of objects plugged
access list inside extended permit ip object-group allmyBranch-provider objects
allowed to access extensive ip list nat0_acl object-group reteInside-group of objects plugged
list of access VPN-Hots extended permitted ip object-group reteInside-group of objects plugged
list of access VPN-provider allowed extended ip outside of the provider object-group interface
list of access VPN-provider allowed extended ip object-group allmyBranch-provider objects
permit ToSupplier to access extended ip object-group allmyBranch-group of objects provider list

Global 1 interface (outside)
NAT (inside) 0-list of access nat0_acl
NAT (inside) 1 access-list ToSupplier

do you have any idea how solve it? is this possible?

Thank you

I'm glad to hear that.

If the problem is resolved and that you find it useful, if Please assess the threat and mark it as answered :-)

Thank you.

Federico.

ASA 8.3 - SSL VPN - NAT problem

Need help to find how to configure anyconnect VPN with VPN client using a NAT networking internal.

There are many items on the side - how to disable NAT for vpn pool.

I need to create the gateway VPN to the complex international lnetwork, vpnpool is out of range of regular subnet of that network, so it's going to be questions witout NAT routing.

I so need to vpn clients connected to be PATed to . The problem is that there is also a dynamic to PAT rule for the ordinary acccess Iternet which translates as 'rules NAT asymmetry... "error.

Create two times different NAT rules and moving them on up/down makes no difference. There are also some hidden rules of vpn setup :-(that could not be seen.

V8.3 seems is destroying trust in Cisco firewall...

Thank you.

Stan,

Something like this works for me.

192.168.0.0/24---routeur--172.16.0.0/24 ASA-= cloud = host. (the tunnel he get IP address of 'over' pool, which is also connected to the inside)

BSNs-ASA5520-10 (config) # clear xlate
INFO: 762 xlates deleted
BSNs-ASA5520-10 (config) # sh run nat
NAT (inside, outside) static all of a destination SHARED SHARED static
!
NAT source auto after (indoor, outdoor) dynamic one interface
BSNs-ASA5520-10 (config) # sh run object network
network of the LOCAL_NETWORK object
192.168.0.0 subnet 255.255.255.0
The SHARED object network
172.16.0.0 subnet 255.255.255.0
BSNs-ASA5520-10 (config) # sh run ip local pool
IP local pool ALL 10.0.0.100 - 10.0.0.200
local IP ON 172.16.0.100 pool - 172.16.0.155
BSNs-ASA5520-10 (config) # sh run tunne
BSNs-ASA5520-10 (config) # sh run tunnel-group
attributes global-tunnel-group DefaultWEBVPNGroup
address pool ON

If I get your drift... bypass inside and outside is not really necessary on Cisco equipment as it should work straight out of the box via the proxy arp, but I'm not face or solution providers for remote access.

Marcin

Hour system malfunctioning after VPN - Windows XP Pro 2002 Service Pack 2

According to group policy, my system time is synchronized to the server of my company's time.
I can't change the time server. Not really sure where to look; It does not appear under properties of the time, in any case.

When I'm at work on our local network, my time is set correctly. I can reboot, and everything is good.

When I'm at home or on the road and I have VPN into work, my time is correct until I restart.
After that I reload after a VPN session, my time is apparently on GMT + 0 (+ 4 hours where it should be).

My zone control reveals that he is always set correctly (GMT - 5 w/DST + 1).
If I run "net time" in both cases, I get the name of our time server.

Any help would be appreciated.

Hi Nailhead33,

Thanks for visiting the site of the community of Microsoft Windows XP. The question you have posted is related to domains and virtual private networks, and would be better suited to the TechNet community. Please visit the link below to find a community that will provide the support you want.

http://TechNet.Microsoft.com/en-us/default.aspx Shawn - Support Engineer - MCP, MCDST
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think

VPN - NAT Exemption?

Hi all

Just a mental block, I feel at the moment.

ASA 5585 code 9.0.x race - there is no NAT configuration at all on the box. This ASA firewall will end a site to site VPN. -

My question is - is a rule of "NAT exemption" required... .similar to the crypto ACL for the traffic in the tunnel... .or is NAT exemption required only when NAT is configured.

My apologies if this is a silly question

Thank you

James

When there is no NAT config, the ASA will pass all traffic not translated, which includes the traffic tunnel. If you're right, you don't need any NAT exemption.

However, you can configure it. For example, if you plan to add NAT at a later stage, then it might be easier to implement than NAT if your NAT exemption is already in place.

Configuration VPN - NAT - T support

Hello

A partner of business (BP) has the following requirements. I don't know which statements of config I need to use to ensure this successful connection

Business (BP) needs partner complete the VPN tunnel on a firewall that is behind another firewall running NAT

(BP) will create UDP 500 and UDP 4500 endpoints on the NAT firewall which is forwarded to the Firewall VPN termination.

Because of this, the (BP) needs of my dissertation support encapsulation of ESP over UDP (NAT - T)

My series of ASA5500 using the code (825) has the statements

Crypto isakmp nat-traversal 21
crypto ISAKMP ipsec-over-tcp port 10000

VPN # match address BP_VPN crypto card
VPN # set peer (peer_ip) crypto card
VPN # game of transformation-AES_256_SHA crypto card

IPSec-l2l type tunnel-group (peer_ip)
IPSec-attributes of tunnel-group (peer_ip)
pre-shared key (TBD)

BP_VPN list extended access permit tcp host 10.x.x.x, 172.16.x.x eq (specified port) host
BP_VPN list extended access permit tcp host 10.x.x.y host 172.16.x.x eq (specified port)

NatExempt_VPN list extended access permit tcp host 10.x.x.x, 172.16.x.x eq (specified port) host
NatExempt_VPN list extended access permit tcp host 10.x.x.y host 172.16.x.x eq (specified port)

Please indicate whether these statements are sufficient and if not what else would be needed.

You need not order
```
crypto isakmp ipsec-over-tcp port 10000
```
It is for the exclusive implementation that was used before NAT - T is available. You only need to nat-traversal active. For your ACL, using ports in there makes everything complicated. You should see if you can just use 'ip' here. If there is already configured on your ASA virtual private networks, then the config is probably ok. If this isn't the case, you must always configure ISAKMP and activate the encryption on the interface card.

ASA L2L VPN NAT

We have a partner that we set up a VPN L2L with. Their internal host IP infringes on our internal IP range. Unfortunately, they are not offer NAT on their side. Is it possible on the SAA to configure a NAT device for my internal hosts will say 1.1.1.1 and ASA changes the internal address of the remote end overlapping?

If this is the scenario

192.168.5.0 ASA1 <---> <-- internet="" --="">ASA2<-->

ASA1 (NAT will be applied)

ASA2 (without nat will be applied)

You want to do something like that on ASA1

Change your source host or network to be 192.168.7.0 when communicating with the remote network. Change the remote network to come as long as 192.168.8.0 coming to your network on the SAA.

ACL soccer match:!-match-list ACLaccess acl_match_VPN ip 192.168.7.0 allow 255.255.255.0 192.168.5.0 255.255.255.0

! - NAT ACL

vpn_nat 192.168.5.0 ip access list allow 255.255.255.0 192.168.8.0 255.255.255.0

! - Translations

public static 192.168.7.0 (exterior, Interior) 192.168.5.0 netmask 255.255.255.0 0 0

static (inside, outside) 192.168.8.0 public - access policy-nat list

Complete the VPN configuration using acl_match_VPN as the ACL match. Your inside host will have to use the 192.168.7.0 network when you talk to the remote end.

I hope this helps.

VPN NAT help

I need to configure NAT on a VPN tunnel to accomplish the following. I already have the tunnel upward and running just need to confirm my NAT config.

ASA 8.2 Version running (5)

I only need to set up A

The internal subnet to site A is 172.30.6.0/24 and I need NAT this subnet to 172.31.183.0/24 when the destination subnet is 172.31.255.128/25

So here's what I thought.

Policy NAT 172.30.6.0/24 to 172.31.183.0/24 the translation when the destination is 172.31.255.128/25.

Public static 172.31.183.0 (inside, outside) - CBC-NAT-TRANSLATION access list

CBC-NAT-TRANSLATION scope ip 172.30.6.0 access list allow 255.255.255.0 172.31.255.128 255.255.255.128

Then I would need that

Public static 172.31.255.128 (exterior, Interior) 172.30.6.0 netmask 255.255.255.0

That sounds about right.

Thank you

Mike

Mike

As I said that I did not use a network with a static NAT strategy, so I don't know if the host part of the IP address matches the host Party in the range NAT if you see what I mean.

It could, but it cannot be a concern for you anyway. You would need to watch the xlate table once you make the connection to know for sure.

In addition, it means all devices in this subnet may send packets to each device in the remote subnet but once again can not be a cause for concern.

But apart from that, Yes, your config seems fine for me.

I try with the first beach and establish a connection and then if it works check the xlate dashboard to see exactly what IP he chose.

Jon

Can access virtual servers, but not the server host after vpn

When on the network, I can access the host server and all other virtual servers (virtualized with virtualbox). But when I connect with VPN I have no access to the main server, but I have access to any of the host servers - and I can get access to the main server of one of the host servers.

Where do I start looking?

using of 5505 and asa version 8.4 is (2).

The nat setup is like this:

3 (inside) (outside) static source any any static destination NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 non-proxy-arp-search to itinerary

translate_hits = 0, untranslate_hits = 0

4 (inside) (outside) static source any any static destination NETWORK_OBJ_192.168.1.128_27 NETWORK_OBJ_192.168.1.128_27 non-proxy-arp-search to itinerary

translate_hits = 0, untranslate_hits = 0

5 (inside) (outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.254.0_28 NETWORK_OBJ_192.168.254.0_28 non-proxy-arp-search of route static destination

translate_hits = 37, untranslate_hits = 63771

6 (on the outside) to dynamic interface of the NET-VPNPOOL source (outdoor)

translate_hits = 0, untranslate_hits = 0

On the host, I see that you have 2 default gateways configured. It can have 1 default gateway, and to the other interface, you must configure static routes for specific access.

The interface that needs to connect to the Internet should have the configured default gateway. The traffic that pass through the interface of the SAA should also go in and out the same set of interface, IE: If the host server connects to the interface via dmz out to the external interface, the return traffic must also go through this path, apart from the interface and return to the dmz interface.

vpn NATting traffic

I have my vpn set up exactly as I need. Users can connect to the vpn and get an IP of 172.16.17.0/24. These users can access then machines hidden behind the asa on the private interface 172.16.16.1/24. Users on the 172.16.16.1 interface can also access any machine not on the private through the router using nat interface. What I can not understand how is allowing vpn also users to access any machine not on the private via NAT on the router interface. Help would be appreciated.

See the road from ciscoasa #.
Gateway of last resort is a.b.c.1 to network 0.0.0.0

C 172.16.16.0 255.255.254.0 is directly connected, igbprivate
S 172.16.17.20 255.255.255.255 [1/0] via a.b.c.189, igbpublic
C 255.255.252.0 a.b.c.0 is directly connected, igbpublic
C 192.168.1.0 255.255.255.0 is directly connected, management
S * 0.0.0.0 0.0.0.0 [1/0] via ak.b.c.124.1, igbpublic

access list

access list 101 line 1 permit extended ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0

in the running-config nat statements

interface of global (igbpublic) 1
NAT (igbprivate) 0-access list 101
NAT (igbprivate) 1 0.0.0.0 0.0.0.0

If your VPN users connect on the side of the SAA Public then I still think Hairpining is what you should look into. It is very similar to my problem in which I want to VPN users to access internet through VPN. Packets from the VPN users must enter the public interface and return directly. I hope I understand this.

Site to Site VPN NAT conflicts

I have a site to site vpn between my main office and an office. Traffic between flow correctly with the exception of some protocols. My main router has static NAT configured for port 25 and a few others. For each of these protocols that have a static nat, I can't send the traffic from my office to the IP in the static nat

either I can't access port 25 on 172.16.1.1 of my office of the branch of the 172.17.1.1, but I have remote desktop access

It's like my list of NAT is excluding the static entries that follow. I have posted below the configs. Any help would be appreciated.

Main office: 2811

Branch: 1841

Two routers connected to the internet. VPN site to Site between them with the following config

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

isakmp encryption key * address *. ***. * *.116

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac VPN - TS

!

map VPN-map 10 ipsec-isakmp crypto

set peer *. ***. * *.116

game of transformation-VPN-TS

match address VPN-TRAFFIC

I have two IP addresses on the router principal.122 et.123

There is an installer from the list of the deny on the two routers - that's the main:

overload of IP nat inside source list 100 interface FastEthernet0/0

access-list 100 remark = [Service NAT] =-

access-list 100 deny ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

access-list 100 permit ip 172.16.0.0 0.0.255.255 everything

access-list 100 permit ip 172.24.0.0 0.0.255.255 everything

To serve clients vpn no internet, the following nat is configured to send e-mail to exchamge

IP nat inside source static tcp 172.16.1.1 25 *. ***. * expandable 25 *.122

Try to use the nat policy to exclude traffic from your servers to be natted when switching to the branch office network.

Sth like this

STATIC_NAT extended IP access list

deny ip 172.16.1.1 host 172.17.1.0 255.255.255.0 aka nat0 for traffic from the server

allow the ip 172.16.1.1 host a

policy-NAT route map

corresponds to the IP STATIC_NAT

IP nat inside source static tcp 172.16.1.1 25 *. ***. 25-card *.122 of extensible policy-NAT route

VPN / Natting issue - connectivity to 3rd Party Partner Site

Hello

I received a request to provide a connectivity solution between our private server 10.102.x.y and a3rd advantage partner server. 10.247.x.y solution of VPN site to site. I want to hide our real IP of 10.102.x.y and replace 10.160.x.y (using Natting).

The configuration is the following:

3rd party partner server->	3rd party ASA FW->	Tunnel VPN IPSec Internet->	Our ASA FW->	Our server private
10.247.x.y				10.102.x.y private IP NAT'd IP10.160.xy

3rd party partner server->

3rd party ASA FW->

Tunnel VPN IPSec Internet->

Our ASA FW->

Our server private

10.247.x.y

10.102.x.y private IP

NAT'd IP10.160.xy

My dogs entered so far (still awaiting 3rd party to set up their ASA)

name 10.160.x.y OurNat'dServer

crypto ISAKMP policy 6
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800

Crypto ipsec transform-set 3rd Party esp-aes-256 esp-sha-hmac

3rd party ip host 10.160.x.y host 10.247.x.y allowed extended access list

tunnel-group 80.x.x.x type ipsec-l2l
80.x.x.x group of tunnel ipsec-attributes
pre-shared key xxxxxxxxx

football match 117 card crypto vpnmap address 3rd party

card crypto vpnmap 117 counterpart set 80.x.x.x

card crypto vpnmap 117 the transform-set 3rd Party value

public static 10.160.x.y (Interior, exterior) 10.102.x.y netmask 255.255.255.255

The config goes to meet my requirements and the solution envisaged, or is my inaccurate understanding?

Any help on this would be appreciated.

Thanks in advance,

Select this option.

Hello

Who will break actually internet traffic with this server because the external address that is sent over the internet is considered to be a 10.160.x.y. In the past, I did something like this:

public static 10.160.x.y (Interior, exterior), list-dest-3rdParty access policy

policy-dest-3rdParty of the ip host 10.102.x.y host 10.247.x.y allowed extended access list

Who will ONLY perform NAT traffic on this server if traffic is coming from the 10.247.x.y.

Networks VPN NAT l2l problem-Dup-HELP!

I use a router IOS as a VPN L2L device to connect my site to several different customer locations, some of them use the same internal IP addresses. These VPNS have been working well.

I recently added another client to this system and I am now having a problem with the new configuration. With this configuration, I have NAT my internal addresses. NAT works correctly, but it NAT my bad common NAT addresses and therefore do not generate the tunnel.

My internal IP 10.10.x.x

incorrect NAT pool 10.129.x.x

decent NAT pool 10.99.x.x

Help... :))

Thank you

The problem is simple. You have almost an identical ACL for two guests. As the first NAT rule has been added previously, it comes into play. To resolve this issue, you must set explicit host/subnet destination match instead of 'none' keyword.

For example like this:
```
ip access-list extended ME-CRYPTO-ACL
  permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63
ip access-list extended ME-NAT-ACL
  permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63
ip access-list extended SA-CRYPTO-ACL
  permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95
ip access-list extended SA-NAT-ACL
  permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95
```
Another solution is more complex and harder to understand (and explain), you can use Virtual models with tunnel-protection for each customer, VRF and NAT for common services.

___

HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".

After VPN NAT

Similar Questions

Maybe you are looking for