NAT and IPsec site-to-site

Answered Question
May 11th, 2008

Hi,

Why NAT happens to site-2-site IPsec tunnel?

I configured an IPsec tunnel between site A and Site B. They are pining each other well. Site B has a web server which is open to the public. So it has a stactic NAT configured.

eg. ip nat inside source static tcp 10.10.10.10 80 interface fastethernet0 80

From Site A, http://10.10.10.10/ failed to display the web site.

Then I found nat has happened.

I thought NAT should bypassed when traffic is through the IPsec tunnel. But obviousely it is not.

What can I do to make it both work for external and vpn sites?

Thanks,

Lydia

Correct Answer by izackvail about 8 years 9 months ago

Hi Lydia, you can't use that command when you specify an interface rather than an actual global address.

it would have to look like this:

ip nat inside static 10.10.10.10 (some routable outside address) route-map nonat

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
izackvail Sun, 05/11/2008 - 20:44

Hi Lydia, I am sure you created a crypto ACL for your VPN tunnel. typically you would also create a route map to exclude nat from those subnets that you are tunneling. If your crypto ACL says:

access-list 120 permit IP 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255

crypto map VPN 1 ipsec-isakmp

match address 120

Then your route map would deny that traffic.

access-list 102 deny ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255

And you would create a route map to keep it from being NATed like this.

route-map NONAT permit 10

match ip address 102

ip nat inside source route-map NONAT interface Serial0/0

yayasolenet Sun, 05/11/2008 - 21:24

Thank you for the prompt reply. I have no issue for vpn site communication to each other or browsing internet.

The only problem is the static NAT for a specific server (10.10.10.10) on a specific port (80).

Can this static NAT be replaced by Route-map?

Cheers,

Lydia

yayasolenet Sun, 05/11/2008 - 22:32

Hi,

I've found the solution using static nat with Route-map as show in the link below.

http://www.cisco.com/warp/public/707/static.html

But it looks like my IOS version does not support this command. The document is based on 12.3(14)T. My IOS version is 12.4(6)T9. How come the latest one does not support?

Attached is the screen shots of the error while i was trying to add the route-map nonat in the end of the static nat command.

Can anybody tell me why? Any other solutions?

Thanks,

Attachment: 
Correct Answer
izackvail Mon, 05/12/2008 - 06:06

Hi Lydia, you can't use that command when you specify an interface rather than an actual global address.

it would have to look like this:

ip nat inside static 10.10.10.10 (some routable outside address) route-map nonat

Actions

This Discussion