Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Double tunnel and NAT - your suggestions.

Reply
Thread Tools

Double tunnel and NAT - your suggestions.

 
 
AM
Guest
Posts: n/a
 
      10-07-2005
I have a 837 and on it I built 2 kinds of tunnels:
1) one to headquarter;
2) VPNclients to access a server behind eth0.

I would that VPN clients have access to hq resources.

I studied 2 solutions but each one has its pros and contros, one has to be more clearly developed:

1) I assigned to VPNclients a pool belonging to the LAN being behind the router. I mean 192.168.150.232-239 of
192.168.150/24
It works fine both to machines behind the eth0 and to headquarter;but it bworks only because of the router has proxyARP
enabled on eth0;
2) I assigned a pool completely different (192.168.160.232-239) but now I dont' know how to NAT them when packets must
reach the head quarters. Keep in mind I can not change IPsec settings on device at the HQ so for it I must "produce"
packets coming from the LAN behind the eth0. So how to do NAT coming from one interface (dialer in this case) and going
out from the same? Do you think that using loopback interfaces and route-maps could help me?Perhpas more than one?


Thanks Alex.
 
Reply With Quote
 
 
 
 
dt1649651@yahoo.com
Guest
Posts: n/a
 
      10-07-2005
For the 2nd case, for accessing to the internal network ( HQ in this
case ) why do you have to use NAT ? In my opinion, exclude this pool
192.168.160.232-39 from that NAT rules, on both your router and the HQ
router, and set up the ACL to allow this pool to access to where it is
supposed to.

DT

 
Reply With Quote
 
 
 
 
AM
Guest
Posts: n/a
 
      10-10-2005
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> For the 2nd case, for accessing to the internal network ( HQ in this
> case ) why do you have to use NAT ? In my opinion, exclude this pool
> 192.168.160.232-39 from that NAT rules, on both your router and the HQ
> router, and set up the ACL to allow this pool to access to where it is
> supposed to.


Thanks dt,

but I wouldn't do that because I've already set up the VPN between the spoke router and the HQ. The "problem" is traffic
allowed to be protected. As I have 40 tunnels like that I'd prefer to solve the problem locally on the router without
adding the range 192.168.16.232-239 to the tunnel. Moreover the way you specified force me to assign different pool for
each router and for each tunnel. Moreover I must double ACL on the PIX to access HQ resources (even if I could use
groups on it). Again I would use a numbering easy to remember and choosing a pool belonging to the LAN behind the router
ought to help me debugging access to HQ: the VPNclient would remain the same, I'd have only to change the NAT statement
and not to run behind ACLs.

Alex
 
Reply With Quote
 
matt
Guest
Posts: n/a
 
      10-18-2005
Hello...

The problem you're having is the "next step" in a architecture that i'm
trying to configure, but you've already figured out how to make VPN
client traffic turn around at the router and head off to HQ in your
other tunnel. would you mind posting your config?

It'd be a great help to many of us, i suspect, who are not IOS
engineers, but know just enough to be frustrated!

Thanks in advance.
--matt

 
Reply With Quote
 
AM
Guest
Posts: n/a
 
      10-25-2005
matt wrote:
> Hello...
>
> The problem you're having is the "next step" in a architecture that i'm
> trying to configure, but you've already figured out how to make VPN
> client traffic turn around at the router and head off to HQ in your
> other tunnel. would you mind posting your config?


Just use a pool, belonging to the LAN behind the router, for VPN client and you're done. Be sure to have proxyARP
feature enabled on your router. Moreover put static routes to tell the router that that pool is connected to WAN interface.


Alex.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
One IPsec tunnel and no ISAKMP tunnel. AM Cisco 7 07-19-2007 03:11 PM
Site to site VPn tunnel and VPN tunnel Trouble Cisco 0 08-04-2006 04:23 AM
cannot convert parameter from 'double (double)' to 'double (__cdecl *)(double)' error Sydex C++ 12 02-17-2005 06:30 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments