NAT of overlapping network through IPSEC tunnel

Unanswered Question
Mar 16th, 2008
User Badges:

I am having a NAT problem constructing a router to PIX tunnel (12.4-15T3 to 7.2). I need to both NAT overload through the outside interface for all internet traffic and NAT to a private network for traffic that will flow through an IPSEC tunnel.

Because there is network overlap between sites I have added a NAT on the router as follows:

1) A NAT pool of 254 172.17.20.x addresses.

2) An access list permiting traffic to the hosts on the other side of the tunnel.

3) A NAT source statement using the above ACL and pool.

The IPSEC configuration then includes the 172.17.20.x addresses in the tunnel specification. The tunnel pegs up correctly under this config, traffic originating behind the router is NATd to 172.17.20.x if and only if the traffic matches the access list.

However, once a host has created a 172.17.20.x NAT translation, the normal overload NAT out to the internet no longer works. Even if the second traffic destination does not match the access-list created for the 172.17.20.x NAT statement, the existing translation slot is used. Since 172.17.20.x is not valid on the internet, this has a negative effect on the staff in this location :-/

Both NATing to the internet (using overload PAT on the outside IP address) and NATing for the tunnel (using the list of 172.17.20.x address) are necessary. What am I missing?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michaelring Fri, 03/21/2008 - 07:09
User Badges:

Actually, i need to do this on the IOS side, but thanks. I spoke with TAC and the key is to use a route-map NAT, not an ACL nat.


This Discussion