VPN with NAT on same interface

anthony.baker · ‎04-20-2009

Hi guys,

I wonder if anyone has tried this senario before and could let me know how to get it to work!

I have a pair of 7100 routers that I'm going to use as VPN termination points on our network. The routers run HSRP across the F0/0 interface to achieve redundancy and all is good. I just have one problem..

Some of our partners need the source address of the traffic going over the tunnel to be a certain IP address so needs to be NAT'd at the router. I have a problem because the packets destined for the tunnel come in and go out the same interface and therefore I can't seem to get it to NAT them before it sends them down the tunnel i.e. it works ok with no nat involved but I can't use the ip nat inside and outside commands as I only have one interface. Therefore my VPN access-list never picks the traffic up and nothing happens!

Does anyone know the best way around this?

Thanks for the help,

Anthony

andrew.prince · ‎04-20-2009

Terminate the VPN's on another device.

HTH>

anthony.baker · ‎04-21-2009

So it can't be done?

andrew.prince · ‎04-21-2009

To be honest, the only way I can think of doing it, is to encapsulate the traffic in a GRE tunnel. You could NAT it as it goes into the tunnel, and the VPN is based on the source and destination IP's of the tunnel.

Other than that, have VPN's NAT and sending receiving traffic on the same device on 1 internet - is a big ask. Splitting the load to another device makes more sense - only my point of view.

HTH>