Configuring NAT over LAN-to-LAN Between Two Cisco VPN 3000 Concentrators [Cisco VPN 3000 Series Concentrators]

Document ID: 44402

Updated: Feb 02, 2006

Download PDF

Configure the Cisco VPN 3005-1 Concentrator

Verify the Configuration

Troubleshoot the Configuration

Configure the Cisco VPN 3005-2 Concentrator

Verify the Configuration

Troubleshoot the Configuration

Related Information

Introduction

This document demonstrates how to configure the Network Address Translation (NAT) over LAN-to-LAN feature as introduced in Cisco VPN 3000 Concentrator 3.6. This feature allows you to configure the IPsec LAN-to-LAN tunnel with overlapping private networks on each side of the VPN tunnel.

With the NAT over LAN-to-LAN feature enabled, packets that come into the private interface of the VPN Concentrator are translated according to the NAT rule defined before they are encrypted. On the other side, the VPN packets that reach the public interface of the VPN Concentrator are translated according the NAT rules defined after they are decrypted.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

You have performed the initial configuration steps for the VPN Concentrators in order to get Internet connectivity.
Familiarity of standard LAN-to-LAN IPsec tunnel configurations with the use of VPN Concentrators. Refer to Configuring a Central Cisco VPN 3000 Concentrator to Allow Communication Between Spokes for further reference.

Components Used

The information in this document is based on these software and hardware versions:

Cisco VPN 3005 Concentrator version 3.6

Note: This document was recently reviewed with 4.x code on October 4, 2004.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram

This document uses this network setup:

This network diagram shows that private LAN 1 and private LAN 2 have overlapping networks of 10.1.1.0/24. The configuration examples in this document demonstrate how to configure the NAT over LAN-to-LAN feature so that the hosts on the two private LANs can communicate easily through the IPsec tunnel between the Cisco VPN 3005-1 and Cisco VPN 3005-2 Concentrators.

This table highlights the translation scheme used in this example to map the overlapping networks on each side to different subnets and corresponding interesting traffic for the IPsec LAN-to-LAN tunnel:

	NAT Table
3005-1

Note: The IPsec LAN-to-LAN tunnel for the Local Networks is 30.1.1.0/24 and the IPsec LAN-to-LAN tunnel for the Remote Networks is 20.1.1.0/24.

	NAT Table
3005-1

Note: The IPsec LAN-to-LAN tunnel for the Local Networks is 20.1.1.0/24 and the IPsec LAN-to-LAN tunnel for the Remote Networks is 30.1.1.0/24.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure the Cisco VPN 3005-1 Concentrator

Complete these steps to configure the Cisco VPN 3005-1 Concentrator with an IP address of 172.16.172.36.

Select Configuration > System > Tunneling Protocols > IPSec > LAN-to-LAN > Modify to define a LAN-to-LAN tunnel with the Cisco VPN 3005-1 Concentrator (172.16.172.36).

One important thing to notice is that the IP addresses in Local Network and Remote Network need to be the translated IP subnets as planned in the translation table.
Complete these steps from the Modify window:
1. Enter the name for your LAN-to-LAN connection in the Name field.
2. Select the interface for your LAN-to-LAN connection from the Interface drop-down list.
3. Enter the IP address of the remote peer for your LAN-to-LAN connection in the Peer field.
4. Select the digital certificate to use from the Digital Certificate drop-down list.
5. Choose how to send the digital certificate to the IKE peer from Certificate Transmission. Select either Entire Certificate chain or Identity Certificate only.
6. Enter the preshared key for your LAN-to-LAN connection in the Preshared Key field.
7. Specify the packet authentication mechanism to use from the Authentication drop-down list.
8. Select the encryption mechanism to use from the Encryption drop-down list.
9. Select the IKE proposal to use for this LAN-to-LAN connection from the IKE Proposal drop-down list.
10. Select the filter to apply to the traffic that is tunneled through the LAN-to-LAN connection from the Filter drop-down list.
11. Select the NAT-T check box to allow NAT-T compatible IPsec peers to establish your LAN-to-LAN connection through a NAT device. You must also enable IPsec over NAT-T under NAT Transparancy.
12. Choose the bandwidth policy to apply to your LAN-to-LAN connection from the Bandwidth Policy drop-down list.
13. Select the routing mechanism to use from the Routing drop-down list.
  
  Note: You do not need to specify these next set of parameters if you choose Network Autodiscovery.
1. Select the local network address list or the IP address and wildcard mask for this LAN-to-LAN connection from the Network List drop-down field.
2. Enter the IP address in the IP Address field.
3. Enter the wildcard mask (reverse of a subnet mask) in the Wildcard Mask field.
4. Repeat steps a through c for the Remote Network section and click Apply to apply the LAN-to-LAN tunnel configuration.
After you apply the LAN-to-LAN tunnel configuration, click on the LAN-to-LAN NAT Rules to define the NAT for the NAT-to-LAN tunnel.
Click Add to add a LAN-to-LAN connection, or select a connection and click either Modify or Delete from the LAN-to-LAN Connection field.
Select Configuration > Policy Management > Traffic Management > NAT > LAN-to-LAN Rules > Modify to add a LAN-to-LAN NAT rule based on the NAT plan defined in step 3 and then complete these steps.

Note: In this case, the 10.1.1.0/24 behind the VPN 3005-1 Concentrator is translated to 30.1.1.0/24 when it communicates with the private LAN behind the VPN 3005-2 Concentrator through the IPsec LAN-to-LAN tunnel.
1. Select either Static, Dynamic, or PAT to modify a LAN-to-LAN NAT rule.
2. Enter the IP Address and Wildcard Mask in the Source Network, Translated Network, and Remote Network column fields.
3. Click Apply.
Select Configuration > Policy Management > Traffic Management > NAT > Enable to enable the LAN-to-LAN NAT rule.
Select Check to enable NAT rules on LAN-to-LAN tunnels from the Enable window and click Apply.
Select Configuration > System > IP Routing > Static Routes to verify the routing configuration. In this case, a simple default route is used.

Verify the Configuration

This section provides information you can use to confirm your configuration works properly.

After you complete this configuration, test the IPsec tunnel by sending traffic between the two private LANs. Note that the hosts on private LAN 1 see the private LAN 2 as 20.1.1.0/24 and the hosts on private LAN 2 see private LAN 1 as 30.1.1.0/24.

The process demonstrates how to verify and monitor the IPsec sessions from the Cisco VPN 3005-1 Concentrator.

Select Administration > Administer Sessions on the Cisco VPN 3005-1 Concentrator.
Select Administration > Administer Sessions > Detail to view detailed information on the IPsec SAs.

Troubleshoot the Configuration

Refer to Troubleshooting Connection Problems on the Cisco VPN 3000 Concentrator for additional information on troubleshooting Cisco VPN 3000 Concentrator connection issues.

Configure the Cisco VPN 3005-2 Concentrator

Complete these steps to configure the Cisco VPN 3005-2 Concentrator with an IP address of 172.16.172.55.

Select Configuration > System > Tunneling Protocols > IPSec > LAN-to-LAN > Modify to define a LAN-to-LAN tunnel with Cisco VPN 3005-2 (172.16.172.55). One important thing to notice is that the IP addresses in Local Network and Remote Network should be the translated IP subnets as planned in the NAT tables.
Complete these steps from the Modify window:
1. Enter the name for your LAN-to-LAN connection in the Name field.
2. Select the interface for your LAN-to-LAN connection from the Interface drop-down list.
3. Enter the IP address of the remote peer for your LAN-to-LAN connection in the Peer field.
4. Select the digital certificate to use from the Digital Certificate drop-down list.
5. Choose how to send the digital certificate to the IKE peer by selecting either Entire Certificate chain or Identity Certificate only from Certificate Transmission.
6. Enter the preshared key for your LAN-to-LAN connection in the Preshared Key field.
7. Specify the packet authentication mechanism to use from the Authentication drop-down list.
8. Select the encryption mechanism to use from the Encryption drop-down list.
9. Select the IKE proposal to use for this LAN-to-LAN connection from the IKE Proposal drop-down list.
10. Select the filter to apply to the traffic that is tunneled through the LAN-to-LAN connection from the Filter drop-down list.
11. Select the NAT-T check box to allow NAT-T compatible IPsec peers to establish your LAN-to-LAN connection through a NAT device. You must also enable IPSec over NAT-T under NAT Transparancy.
12. Choose the bandwidth policy to apply to your LAN-to-LAN connection from the Bandwidth Policy drop-down list.
13. Select the routing mechanism to use from the Routing drop-down list.
  
  Note: You do not need to specify the next set of parameters if you choose Network Autodiscovery.
1. Select the local network address list or the IP address and wildcard mask for this LAN-to-LAN connection from the Network List drop-down field.
2. Enter the IP address in the IP Address field.
3. Enter the wildcard mask (reverse of a subnet mask) in the Wildcard Mask field.
4. Repeat steps a through c for the Remote Network section and click Apply to apply the LAN-to-LAN tunnel configuration.
Select Configuration > Policy Management > Traffic Management > NAT > LAN-to-LAN Rules > Modify to add a LAN-to-LAN NAT rule based on the NAT plan you defined earlier in this document and complete these steps.

Note: In this case, the 10.1.1.0/24 behind the Cisco VPN 3005-2 Concentrator is translated to 20.1.1.0/24 when they communicate with the private LAN behind the Cisco VPN 3005-1 Concentrator through the IPsec LAN-to-LAN tunnel.
1. Select either Static, Dynamic, or PAT to modify a LAN-to-LAN NAT.
2. Enter the IP Address and Wildcard Mask in the Source Network, Translated Network, and Remote Network column fields.
3. Click Apply.
Select Configuration > Policy Management > Traffic Management > NAT > Enable to enable the LAN-to-LAN NAT rule.
Select Check to enable NAT rules on LAN-to-LAN tunnels from the Enable window and click Apply.

Verify the Configuration

This section provides information you can use to confirm your configuration works properly.

This process demonstrates how to verify and monitor the IPsec sessions from the Cisco VPN 3005-2 Concentrator.

Select Administration > Administer Sessions on the Cisco VPN 3005-2 Concentrator.
Select Administration > Administer Sessions > Detail to view detailed information of the IPsec SAs.
Select Monitoring > Statistics > NAT in this tab to verify whether the NAT rule is working or not. You can view the NAT translations, packet details (source IP, destination IP, and so forth). This allows you to see the translated entries for the interesting and non interesting traffic (depends on network lists) of the VPN Concentrator so that you can trace out the outgoing translated packets.