l2l VPN with NAT on Router

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Thu, 07/12/2007 - 14:05

Hi there, it looks ok except that you will most likely have a NAT problem.

You will probably end up NAT:ing all traffic, not only traffic to

In order to NAT based on destination addresses you should use route maps like this. From the top of my head:

access-list 108 permit ip any

route-map NAT-DST permit 10

match ip address 108

ip nat inside source route-map NAT-DST pool NATPOOL overload

Something like that

mattiaseriksson Fri, 07/13/2007 - 02:02

@[email protected]:

Yes, the names are wrong, I forgot to mention that in my post.

What I tried to explain was that when you do destination-based NAT you should use route-maps, because it will always create an extended translation entry.

That will ensure that the packet will only get NAT'd if it matches the route-map statement, even if there is already a NAT entry for the same local IP address.

NAT with an extended ACL will work in most situations, but it could fail as it sometimes creates only a simple translation entry.


This Discussion