NAT of overlapping network through IPSEC tunnel

michaelring · ‎03-16-2008

I am having a NAT problem constructing a router to PIX tunnel (12.4-15T3 to 7.2). I need to both NAT overload through the outside interface for all internet traffic and NAT to a private network for traffic that will flow through an IPSEC tunnel.

Because there is network overlap between sites I have added a NAT on the router as follows:

1) A NAT pool of 254 172.17.20.x addresses.

2) An access list permiting traffic to the hosts on the other side of the tunnel.

3) A NAT source statement using the above ACL and pool.

The IPSEC configuration then includes the 172.17.20.x addresses in the tunnel specification. The tunnel pegs up correctly under this config, traffic originating behind the router is NATd to 172.17.20.x if and only if the traffic matches the access list.

However, once a host has created a 172.17.20.x NAT translation, the normal overload NAT out to the internet no longer works. Even if the second traffic destination does not match the access-list created for the 172.17.20.x NAT statement, the existing translation slot is used. Since 172.17.20.x is not valid on the internet, this has a negative effect on the staff in this location :-/

Both NATing to the internet (using overload PAT on the outside IP address) and NATing for the tunnel (using the list of 172.17.20.x address) are necessary. What am I missing?

jbayuka · ‎03-21-2008

Refer to PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

michaelring · ‎03-21-2008

Actually, i need to do this on the IOS side, but thanks. I spoke with TAC and the key is to use a route-map NAT, not an ACL nat.