Site-to-Site VPN with NAT (Cisco IOS)
In a typical Site-to-Site VPN with NAT (Network Address Translation), you connect two different sites over the internet through an encrypted VPN tunnel while possibly translating IP addresses along the way.
Moving from an older Cisco router to one running Cisco IOS version 15.9(3)M10 introduces some changes to configuration syntax and capabilities, but the basic structure remains consistent.
Below, I’ll outline a basic Site-to-Site VPN setup with NAT. I’ll include the essential steps and configurations for both an older IOS version and newer 15.9(3)M10.
Basic Overview of Site-to-Site VPN with NAT
- IPsec VPN: Used to encrypt the connection between the two sites.
- NAT: Used to translate private IP addresses to public addresses or resolve overlapping networks.
- Endpoints: Each router acts as the VPN endpoint.
Key Components
- VPN Configuration – Encryption, hashing, and negotiation settings.
- NAT Configuration – Address translation rules.
1. Configuring Site-to-Site VPN on an Older IOS Version
Older Cisco IOS commonly uses manual crypto map configuration.
Step 1: Define ISAKMP (IKE) Policy
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 2
lifetime 86400
Step 2: Set Pre-Shared Key
Define the key and remote peer IP.
crypto isakmp key YOUR_PRESHARED_KEY address 203.0.113.2
Step 3: Define IPsec Transform Set
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
Step 4: Create Crypto Map
crypto map MYMAP 10 ipsec-isakmp
set peer 203.0.113.2
set transform-set TS
match address 101
Step 5: Configure Access List
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Step 6: Apply Crypto Map
interface GigabitEthernet0/0
crypto map MYMAP
Step 7: Configure NAT
ip access-list extended NAT_EXEMPT
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip nat inside source list NAT_EXEMPT interface GigabitEthernet0/0 overload
Example CLI Verification
Router# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
203.0.113.2 198.51.100.1 QM_IDLE 1001 ACTIVE
2. Configuring Site-to-Site VPN with Cisco IOS 15.9(3)M10
Newer IOS versions support IKEv2 and tunnel interface-based VPNs.
Step 1: Define IKEv2 Proposal
crypto ikev2 proposal MY_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
Step 2: Define IKEv2 Profile
crypto ikev2 profile MY_PROFILE
match identity remote address 203.0.113.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local MY_KEYRING
Step 3: Define IPsec Transform Set
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
Step 4: Define IPsec Profile
crypto ipsec profile MY_IPSEC_PROFILE
set transform-set TS
set ikev2-profile MY_PROFILE
Step 5: Configure Access Control List
ip access-list extended VPN_TRAFFIC
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Step 6: Configure Tunnel Interface
interface Tunnel0
ip address 192.168.10.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 203.0.113.2
tunnel protection ipsec profile MY_IPSEC_PROFILE
Step 7: Configure NAT Exemption
ip access-list extended NAT_EXEMPT
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip nat inside source list NAT_EXEMPT interface GigabitEthernet0/0 overload
Example CLI Verification
Router# show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote Status
1 198.51.100.1 203.0.113.2 READY
Key Differences
- IKEv1 vs IKEv2 – IKEv2 is faster, more secure, and supports mobility.
- Crypto Map vs Tunnel Interface – Tunnel interfaces simplify design and scale better.
- NAT Handling – NAT exemption rules still apply for VPN traffic.
๐ก Key Takeaways
- Older IOS uses Crypto Maps + IKEv1.
- Modern Cisco IOS supports IKEv2 with Tunnel Interfaces.
- NAT exemption is required so VPN traffic is not translated.
- Using IPsec profiles improves scalability and maintainability.
Summary
For older routers, crypto maps and IKEv1 are commonly used.
For newer Cisco IOS versions such as 15.9+, using IKEv2 and tunnel interfaces provides a cleaner and more scalable configuration.
This configuration provides a functional, secure, and NAT-friendly Site-to-Site VPN solution across Cisco IOS versions.
Let me know if you need further customization or troubleshooting steps.
No comments:
Post a Comment