l2l VPN with NAT on Router

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mattiaseriksson Thu, 07/12/2007 - 14:05

Hi there, it looks ok except that you will most likely have a NAT problem.


You will probably end up NAT:ing all traffic, not only traffic to 10.10.0.0/16.


In order to NAT based on destination addresses you should use route maps like this. From the top of my head:


access-list 108 permit ip any 10.10.0.0 0.0.255.255


route-map NAT-DST permit 10

match ip address 108


ip nat inside source route-map NAT-DST pool NATPOOL overload


Something like that

mattiaseriksson Fri, 07/13/2007 - 02:02

@[email protected]:


Yes, the names are wrong, I forgot to mention that in my post.


What I tried to explain was that when you do destination-based NAT you should use route-maps, because it will always create an extended translation entry.


That will ensure that the packet will only get NAT'd if it matches the route-map statement, even if there is already a NAT entry for the same local IP address.


NAT with an extended ACL will work in most situations, but it could fail as it sometimes creates only a simple translation entry.

Actions

This Discussion