Hi There

I understand what you are saying, but could you please give me an example of what you would do here? would you just do something like

ip nat inside source list 1 pool xx overload

then would i referenc the pool in the crypto map?

cheers

Carl

To PAT inside the tunnel, you create the NAT configuration as usual:

ip nat inside source route-map NAT interface OUTSIDE0/0 overload

route-map NAT

match ip address 199

set ip next-hop x.x.x.x   -->  default gateway or path through the tunnel

access-list 199 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

What you're doing with the above configuration is to PAT traffic from 10.x.x.x to 192.168.1.x  (assuming the 10.x.x.x is the network behind the router and 192.168.1.x is the network behind the ASA)

Then, you specify the interesting traffic (VPN traffic) to be from the PATed address to the ASA's network:

access-list 101 permit ip host 200.1.1.1 192.168.1.0 0.0.0.255

(assuming 200.1.1.1 is the OUTSIDE0/0 address) Interface where the crypto map is applied.

Access-list 101 is the ACL applied to the crypto map.

Remember that the ACL on the ASA should be a mirror to this ACL and that the tunnel can only be initiated from the router's side.

Federico.

Hi There

Thanks for the reply

Can you tell me what the end point address would be through the tunnel, or the default gateway?

route-map NAT

match ip address 199

set ip next-hop x.x.x.x   -->  default gateway or path through the tunnel

cheers

Carl

x.x.x.x will be the default gateway of the Router (the next-hop to reach the ASA).

Give it a shot and let us know if the tunnel establishes.

You can use the commands:

sh ip nat trans -->  To verify PAT is taking place

sh cry isa sa -->  to verify phase 1

sh cry ips sa --> to verify phase 2

Federico.

Hi

Im still unsure, will the next hop just be my ISP internet router address then ?

Correct.

The IP of your ISP router, that belongs to the same subnet of your router.

In other words, your router's default gateway.

Federico.