NAT Over VPN Tunnel

Unanswered Question
Aug 16th, 2007

I've been doing some research on this topic, and I'm asking for some help. I have a VPN tunnel I'm trying to set up to a remote network (that I have no control over). However, that remote network has used all private IP addresses. Meaning that I cannot assign my network any private IP addresses to use over the tunnel. I need to do NAT on a completely different IP address across the tunnel. I need the far end of the tunnel to see an address other than the private address which is assigned to the machines on this end. So rather than disabling NAT across the tunnel, I need to ENABLE NAT over the tunnel, but I need it to be a NAT to a completely different IP than the one I have set up on the external interface for doing PAT out to the internet! I hope I've explained this well enough and someone out there can help me. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 08/16/2007 - 10:12


Couple of questions

1) Do you just need one way connection ie. you will always initiate the connection to the remote end.

2) Do you want to hide all your source IP addresses behind one single IP address and then send it down the tunnel so that the remote end sees all traffic as coming from one address only.

One other thing - what type of device do you have at your end.

This is perfectly doable i just need to know your exact requirements.


jbrunsting Thu, 08/16/2007 - 10:14

1) No, I think traffic needs to be able to originate from either end.

2) Yes, I'd love to be able to use any machine on my local network over the VPN. It would simplify the use of the tunnel.

At my end I have an 1841 running ver. 12.4 of the advsecurity IOS.

Jon Marshall Thu, 08/16/2007 - 10:33


Sorry about this but one last quick question.

Are the same addresses being used at both ends ie is there an overlap between the local and remote subnets.

Key thing here is what destination IP addresses do you need to get to at remote site and what are you source IP addresses


what destination IP addresses are the remote site trying to get to and what would be their source ip addresses.

Need to know this before i can supply config.

I've got to nip to a meeting but should be back in about an hour.


jbrunsting Thu, 08/16/2007 - 10:41

Okay, here's hoping I get everything here, since my brain is starting to overheat, I think.

Our network is using, but the problem is, those ips are in use on the other end as well. basically, there is a 100% overlap.

There are three IPs at the other end we need to be able to reach, they're not subnetted, they're just individual ips. Let's just call it Our source ip, the one we're trying to pretend to be, is That's going to be the ip NATted over the VPN tunnel (Assuming I ever get that thing running).

I'm also just assuming that they're only going to be trying to access the main ( ip on this end, though I'll have to set up some kind of access-list to send traffic to the right location. I don't think that, if they originate the traffic on the other end, that they'll be able to go to any machine on our end if we're using NAT. There's just no way for them to differentiate the machines if we're hiding like this. However, that being said, I would assume our server would be the single machine they'd probably need access to, so it's inside local address is

Jon Marshall Thu, 08/16/2007 - 12:32


Okay first things first i am assuming that the machines you are trying to access at the remote site are not in the range.

As you say lets assume

I'm also assunming that the address is not attached to an interface.


int loopback 10

ip address

NOTE - if is allocated to your outside interface on your 1841 then you don't need to create the loopback interface.

Next you need to NAT your source IP addresses based on this

access-list 101 permit ip host

access-list 101 permit ip host

access-list 101 permit ip host

ip nat inside source list 101 interface loopback 10

Note - as before if you didn't need to create loopback 10 because the 64.x.x.x address was assigned to your outside interface then just change the interface bit of the above nat statement.

Okay that will NAT any addresses going to any of the 172.16.1.x addresses to

Now all you have to do is create your VPN as normal only in the crypto access-list ie the one that says

match address "access-list"

your access-list must now reference and not the 192.168.1.x addresses because they have already been natted so

access-list vpntraffic permit ip host host

access-list vpntraffic permit ip host host

access-list vpntraffic permit ip host host

This should sort out traffic from your end.

Now lets cover off the server. You just need to present this to the remote end as any address that doesn't conflict with anything they have there. It doesn't have to be a public ip address - you will need to agree with remote people. Lets say for arguments sake you agreed on

ip nat inside source static

in your crypto map access-list vpntraffic add the following line

** Edit -

this should read

access-list vpntraffic permit ip host host x.x.x.x

host x.x.x.x will be whatever they present their addresses as to you ie. you are hiding all your addresses behind 64.x.x.x, what are they doing with their source IP addresses.

Finally you need to add to the inside interface

int fa0/0

ip nat inside

and the outside interface

int fa0/1

ip nat outside

Note that loopback 10 can be any number as long as it doesn't conflict with anything you have.

Okay, thats quite a bit to do. Remember that whatever your crypto access-list has in it the remote end must also have this but with the source and destination flipped.

I haven't been able to fully test this in our lab so there might be a few issues, please be careful if dealing with a production setup.

Please come back if there are any problems or just to let me know it worked.



jbrunsting Thu, 08/16/2007 - 12:58

Okay, this looks really good, and I think it's exactly what I've been waiting for. I'm waiting on my counterpart on the other end to give me a call back so we can test this, but I'll definitely let you know what happens with it.

Of course, any remaining problems might also be with my more-than-rusty vpn tunneling skills.

jbrunsting Fri, 08/17/2007 - 11:22

Okay, will, the tunnel seems to be fully implemented, the guy at the other end can see it come up (I dunno about my end, I don't seem to have a tunnel interface, so I'm not sure how to check). ANYway, so the tunnel comes up, but for some reason, I can't pass any traffic through it. I've also learned that I there won't be any traffic originating from the far end, only traffic originating from my end and going out.

Jon Marshall Fri, 08/17/2007 - 13:07


Can you post your config + the source IP address you are coming from and the destination address you are going to.

useful commands to see if your tunnel is working

sh crypto isakmp sa

sh crypto ipsec sa


Jon Marshall Fri, 08/17/2007 - 13:21

Okay, i keep doing this recently. Referring back to my post with all the config

access-list 101 permit ip host

access-list 101 permit ip host

access-list 101 permit ip host

Can you change the subnet masks to


access-list 101 permit ip host


Apologies for that. Pix uses but router IOS needs inverse mask

Could you update the access-list and then retest.

Couple of other things - can you let me know what your source IP address is and the destination IP address at the remote end when you test the setup.

Lastly when you post configs can you make sure you remove any sensitive info like the IPSEC keys etc..


jbrunsting Fri, 08/17/2007 - 13:31

Okay, first of all, I'm an idiot. I know that stuff about IPSec keys, etc. I think it's just been a VERY long week for me. What's more, I know that about reversing the masks for access-lists, but I didn't even catch it.

It still doesn't seem to be working, however. Here's the edited part of that config as it looks now:

access-list 101 permit ip host

access-list 101 permit ip host

access-list 101 permit ip host

The source IP address for this tunnel is, I would assume, my public IP, which is and the destination IP at the remote end is If you mean the numbers inside, then from my end it's and on the other end, it's

Jon Marshall Fri, 08/17/2007 - 13:50

I know what you mean about long weeks :)

Config looks okay now to me so i will log into lab at work over the weekend and test this out because i can't see why it won't work to be honest.

Do you know if it is not coming up in the same way as before you amended the access-list ie. before the amendment the tunnel would not have come up because the traffic didn't match the access-list but it should now.

You can run some debugging commands on your router

debug crypto isa

debug crypto ipsec

we need to work out if it is your router not initiating the connection or if it is a config issue on the other end.


jbrunsting Fri, 08/17/2007 - 13:55

It's kind of hard to say. Neither of the debug commands seem to give me any information. However, it seems to be the same issue now. When I try to do a simple ping of one of the servers on the other end, all I get is Request timed out from a Windows box, or just ..... from the router itself.

I would love it if you could test this out and let me know what you find.

Jon Marshall Mon, 08/20/2007 - 00:13


Right, i tested this out in our lab over the weekend. Basic details

Local server -

Natted address for local server

Remote server -

Local VPN device - 2800 router - ver 12.4(8) Advanced Enterprise

IP address

Remote VPN device - pix 5I5E firewall - ver 6.3

IP address

Relevant config on 2800 router


crypto isakmp policy 10

authentication pre-share

group 2

lifetime 10800

crypto isakmp key test123 address

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac


crypto map vpn-set 10 ipsec-isakmp

set peer

set transform-set ESP-DES-SHA

set pfs group2

match address 102



interface Loopback5

ip address

interface GigabitEthernet0/0

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map vpn-set


interface GigabitEthernet0/1

ip address

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex full

speed 100

ip nat inside source list 101 interface Loopback5 overload

access-list 101 permit ip host

access-list 102 permit ip host host


It worked fine in my lab. One thing you might want to do when testing on your router

debug crypto isa

debug crypto ipsec

term mon


jbrunsting Wed, 08/22/2007 - 08:42

Well, try though I might, this still doesn't work. It actually seems as if the tunnel never fully establishes. I've changed the NAT for the internet traffic to deny any traffic going to the remote end of the VPN tunnel, to keep it from being NATed to the main global inside address. I thought maybe it was getting NATed to the .76 ip and therefore never getting NATed to the .81 ip going to the outside. However, no luck. Speaking with an engineer on the other end, he tried to force the tunnel twice. Once with the way I have it and once after I added a command into the router: crypto isakmp identity hostname.

Please check out the logs. See if any of this makes sense or maybe anyone out there has seen this before.

One more thing: we HAVE to get this working now, it's been too long. Who do I have to pay to get absolute help with this from Cisco or whoever?

jbrunsting Thu, 08/16/2007 - 12:00

I might be being selfish, but here's hoping you're back from that meeting soon to help, because I just *might* have everything else on this tunnel finished but this now.


This Discussion