Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
547
Views
0
Helpful
1
Replies

IPSec site-to-site with Nat Overload

Mustafa Al Housami
Level 1
Level 1

‎06-28-2009 03:05 AM - edited ‎02-21-2020 04:16 PM

Dears,

i am a little bit confused when configuring IPSec site-to-site with Nat Overload. I have two questions:

1- I need to know the order of operations between NAT overload (including either an ACL or a route-map) and crypto map (including an ACL). For example

if i have the following example:

access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 102 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 102 permit ip any any

crypto map cmap1 1 ipsec-isakmp

match address 101

route-map rmap1 permit 1

match ip address 102

ip nat inside source route-map rmap1 interface s0/0 overload

int s0/0

crypto map cmap1

And if i make a ping from 1.1.1.2 to 2.2.2.2, how will the icmp packets treated by the router

Also if did not add the deny entry in the access-list 102, how will the icmp packets treated by the router

2- What is the difference between using route map and ACL in NAT overload:

ip nat inside source route-map rmap1 interface s0/0 overload

ip nat inside source list 102 interface s0/0 overload

Your help is really appreciated

Best regards,

Moustafa

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎06-29-2009 06:40 AM

Here is a link on NAT order of operations.

https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

0 Helpful
Customers Also Viewed These Support Documents