NAT over ipsec VPN

Unanswered Question

Hello Cisco Pros,

I have a router with a single internet-routable IP address, and an ipsec VPN connection via a Tunnel0 interface. I'd like to setup NAT through the router such that traffic arriving from anywhere on the Internet on port 80 goes to a different host across the ipsec VPN on port 8080. I've tried a lot of different configuration examples, and can't seem to get it right. Is this at all possible?

I've tried:

interface Tunnel0

ip address

ip nat inside

interface FastEthernet 1/0

ip address

ip nat outside

ip nat inside source static tcp 8080 80

(where is a host across the VPN tunnel, and is the external IP address of F1/0)

Nothing I'm trying is working. Thanks for your suggestions!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
yagnesh_tel Tue, 08/25/2009 - 13:09
User Badges:
  • Silver, 250 points or more

Could you break down your issue using IP addresses? From which interface packets enter and exit?

Sure, packets will enter through the F1/0 interface, and will be destined for (or a similar IP if I cannot use F1/0's address). I'd then like to NAT the traffic using Tunnel0's IP address.

So It works like this:

Internet User --> --> goes through vpn to

Hope this makes sense.

yagnesh_tel Tue, 08/25/2009 - 15:10
User Badges:
  • Silver, 250 points or more

What is the source address of tunnel0? Are you are sourcing tunnel from f1/0?

Yes, I am sourcing it from F1/0:

I can change where traffic is sourced from, if necessary. I just need Internet users to be NAT'ted over the IPsec VPN tunnel somehow.... Thanks!

interface Tunnel0

ip address

ip nat inside

ip virtual-reassembly

tunnel source

tunnel destination

tunnel mode ipsec ipv4

tunnel protection ipsec profile P1

yagnesh_tel Wed, 08/26/2009 - 06:02
User Badges:
  • Silver, 250 points or more

I think that's the reason why it's not working right now. Here 'ip nat inside' and 'ip nat outside' are virtually present on the same physical interface f1/0.

Is it possible for you to use Tunnel source as interface other than f1/0?

I have a host on the other side of the VPN tunnel. I do not want this host to see the true source of the outside global host. No matter how I set up NAT, the outside global's source IP always comes through to my inside local host.

How (using NAT), can I have traffic from an Internet host flow through the router, so that my inside host only sees an IP request coming from the router?



This Discussion