I'm configuring something in my lab that I'll be using in production, but I'm running into a problem.
I need to nat traffic only through a tunnel, but not nat it outside of the tunnel. The problem that I've run into is this:
ip nat source static network 192.168.1.0 10.15.25.0 /24 no-alias
The above nats all traffic sourced from 192.168.1.0 to 10.15.25.0, but I only want the traffic natted when it's going to our network to this ip.
I've tried to set an acl up like:
access-list ext VPNNAT
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip nat inside source list VPNNAT pool VPN
ip nat pool VPN 10.15.25.1 10.15.25.254 prefix-length 24
This doesn't translate anything though. I know I'm missing something.
I am not clear what you topology is and not very clear on exactly what you are trying to accomplish. But it seems to me that if you want to translate traffic only when it goes through a tunnel that the solution is to set up the translation with a route map and in the route map you can match on the outbound interface as well as matching on the addresses. Taking your second option as a model it might look something like this:
ip nat inside source route-map tun_nat pool VPN
route-map tun_nat permit 10
match ip address VPNNAT
match interface tunnel0
That should work if the source address is 192.168.1.0, the destination address is 192.168.2.0, and it is going through interface tunnel 0. Give it a try and let us know how it works.