Double tunnel and NAT - your suggestions.

Discussion in 'Cisco' started by AM, Oct 7, 2005.

  1. AM

    AM Guest

    I have a 837 and on it I built 2 kinds of tunnels:
    1) one to headquarter;
    2) VPNclients to access a server behind eth0.

    I would that VPN clients have access to hq resources.

    I studied 2 solutions but each one has its pros and contros, one has to be more clearly developed:

    1) I assigned to VPNclients a pool belonging to the LAN being behind the router. I mean 192.168.150.232-239 of
    192.168.150/24
    It works fine both to machines behind the eth0 and to headquarter;but it bworks only because of the router has proxyARP
    enabled on eth0;
    2) I assigned a pool completely different (192.168.160.232-239) but now I dont' know how to NAT them when packets must
    reach the head quarters. Keep in mind I can not change IPsec settings on device at the HQ so for it I must "produce"
    packets coming from the LAN behind the eth0. So how to do NAT coming from one interface (dialer in this case) and going
    out from the same? Do you think that using loopback interfaces and route-maps could help me?Perhpas more than one?


    Thanks Alex.
     
    AM, Oct 7, 2005
    #1
    1. Advertising

  2. AM

    Guest

    For the 2nd case, for accessing to the internal network ( HQ in this
    case ) why do you have to use NAT ? In my opinion, exclude this pool
    192.168.160.232-39 from that NAT rules, on both your router and the HQ
    router, and set up the ACL to allow this pool to access to where it is
    supposed to.

    DT
     
    , Oct 8, 2005
    #2
    1. Advertising

  3. AM

    AM Guest

    wrote:
    > For the 2nd case, for accessing to the internal network ( HQ in this
    > case ) why do you have to use NAT ? In my opinion, exclude this pool
    > 192.168.160.232-39 from that NAT rules, on both your router and the HQ
    > router, and set up the ACL to allow this pool to access to where it is
    > supposed to.


    Thanks dt,

    but I wouldn't do that because I've already set up the VPN between the spoke router and the HQ. The "problem" is traffic
    allowed to be protected. As I have 40 tunnels like that I'd prefer to solve the problem locally on the router without
    adding the range 192.168.16.232-239 to the tunnel. Moreover the way you specified force me to assign different pool for
    each router and for each tunnel. Moreover I must double ACL on the PIX to access HQ resources (even if I could use
    groups on it). Again I would use a numbering easy to remember and choosing a pool belonging to the LAN behind the router
    ought to help me debugging access to HQ: the VPNclient would remain the same, I'd have only to change the NAT statement
    and not to run behind ACLs.

    Alex
     
    AM, Oct 10, 2005
    #3
  4. AM

    matt Guest

    Hello...

    The problem you're having is the "next step" in a architecture that i'm
    trying to configure, but you've already figured out how to make VPN
    client traffic turn around at the router and head off to HQ in your
    other tunnel. would you mind posting your config?

    It'd be a great help to many of us, i suspect, who are not IOS
    engineers, but know just enough to be frustrated! :)

    Thanks in advance.
    --matt
     
    matt, Oct 18, 2005
    #4
  5. AM

    AM Guest

    matt wrote:
    > Hello...
    >
    > The problem you're having is the "next step" in a architecture that i'm
    > trying to configure, but you've already figured out how to make VPN
    > client traffic turn around at the router and head off to HQ in your
    > other tunnel. would you mind posting your config?


    Just use a pool, belonging to the LAN behind the router, for VPN client and you're done. Be sure to have proxyARP
    feature enabled on your router. Moreover put static routes to tell the router that that pool is connected to WAN interface.


    Alex.
     
    AM, Oct 25, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom Accuosti
    Replies:
    3
    Views:
    535
    Travis Evans
    Sep 27, 2004
  2. John Ireland
    Replies:
    1
    Views:
    1,107
    Claude LeFort
    Nov 11, 2003
  3. a.nonny mouse
    Replies:
    2
    Views:
    1,163
  4. The Man With No Name
    Replies:
    3
    Views:
    871
  5. MSB

    PHP double quotes inside double quotes

    MSB, Oct 20, 2006, in forum: Computer Support
    Replies:
    11
    Views:
    1,050
    Beauregard T. Shagnasty
    Oct 21, 2006
Loading...

Share This Page