IPSec, static NAT and route-maps

Unanswered Question
Jan 28th, 2009
User Badges:

I use static NET to expose some servers to the internet. I created an IPSec tunnel from a remote office to the central office which worked but, the remote office could not connect to the servers that have static NAT mappings.

I added a route-map to the static mappings like this:

ip nat inside source static route-map NATRouteMap

route-map NATRouteMap permit 1

match ip address 104

access-list 104 deny ip 0.0.0 255

access-list 104 permit ip any

Everything seemed to work fine until e-mail started bouncing. Without the route-map on the ip nat, connections from would have a source IP address of, exactly what the static mapping says. With the route-map, connections from have a source IP address of which is the external interface and pooled NAT ip address.

How can I have out bound static mapping and still access the server from the IPSec tunnel?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
JohnVottero Tue, 02/03/2009 - 14:33
User Badges:

Thanks for the reply. I may be missing the obvious but, I don't see anything in that config that will help me.

My problem is with static NAT which seems to be broken when you add a route-map.

paolo bevilacqua Tue, 02/03/2009 - 15:42
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, it's a bit difficult for a "third party" to understand exactly your situation and what you need to do.

However looking at your usage of the route map, you see that first you define a static 1:1, then use a route map that defines more addresses ? That seems contradictory in itself.

You could then use the ACL directly in nat statement to define what you want natted to and what not.

JohnVottero Wed, 02/04/2009 - 15:42
User Badges:

I added the route-map to the static NAT to allow a remote network that is using an IPSec tunnel to access the internal IP addresses. The route-map prevents NATing for packets to/from the remote IPSec network.

I did this based on this configuration example:


It almost works except, outbound packets are never NATed by the static NATs.

paolo bevilacqua Thu, 02/05/2009 - 10:20
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

The thing is that the static nat specifies a single host, so I don't see why the route map is necessary to prevent the network to be natted.

Then again I might have misunderstood.

JohnVottero Thu, 02/05/2009 - 15:59
User Badges:

When packets come in from the IPSec tunnel, the replies get NATed because of the static NAT. The NATed replies don't match the IPSec selection so they don't get encrypted and sent back through the IPSec tunnel.

paolo bevilacqua Fri, 02/06/2009 - 06:20
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I see. This happens because you have another nat statement or more, and even if the route-map prevents natting on the static nat for a certain global address, it still is subject to the other.

There are probably few things that you can try:

- use a gre tunnel over ipsec so you will have better control on what is natted and what is not - tunnel interface would have no nat statment. You can reuse the crypto maps and simply add tunnel protection with gre config.

This is also the best solution as it let you add more networks go over tunnel w/o changing the crypto maps.

- use more route maps so that the pooled nat never nats for 64.233.x.x

- investigate use of virtual nat interfaces- I'm not very familiar with these anyway.


This Discussion