Simultaneous NAT overload (internet) and NAT overlapping for IPsec

Unanswered Question
May 20th, 2010
User Badges:

Hi all,

Have been bashing my head against this for the last couple of days and was wondering if anyone might be able to take a look at the config and point where I might be approaching this wrong...

My current lab is configured as:

Two sites (SITE1/SITE2) connected via a third third router (ISP) - There is a pure IPsec tunnel between SITE1 and SITE2. Both SITE1 and SITE2 have overlapping IP addresses (SITE1 uses and SITE2 uses and - however, we're only presented with access to via the IPsec VPN)

Okay... Overlapping NAT's - I need to remap what each end see's as its destination - SITE2 sees SITE1 as (rather than and SITE1 see's SITE2 without translation (as we'll never be talking to their anyway, only which doesn't match our internal subnet)

SITE1 also has an internet connection via ISP1 which is used to simultate access to the internet via a NAT overload statement (multiple machines in SITE1 need to access the internet via a single internet IP.

SITE1's internal IP is
SITE1's external IP is

ISP1's link to SITE1 is on
ISP1's link to SITE2 is on

SITE2's internal IP's are and
SITE2's external IP is

IPsec traffic between workstations located within SITE1 to workstations within SITE2 is fine (on either or subnets) however, I'm unable to access the internet via the NAT overload from SITE1.

Your assistance is muchly appreciated - I'm sure it can be done and I'm positive I'm well on the way to making it happen, but for the life of me, I just can't make that last 'step' to actually having it work.

Results of "debug ip nat detailed" on SITE1 when attempting to ping from SITE1PC (

*Mar  1 02:12:05.459: NAT*: i: icmp (, 6) -> (, 6) [30]
*Mar  1 02:12:05.463: NAT*: i: icmp (, 6) -> (, 6) [30]
*Mar  1 02:12:05.467: NAT*: s=>, d= [30]
*Mar  1 02:12:05.603: NAT*: o: icmp (, 6) -> (, 6) [30]
*Mar  1 02:12:05.607: NAT*: s=, d=> [30]
*Mar  1 02:12:05.663: NAT*: i: icmp (, 6) -> (, 6) [31]
*Mar  1 02:12:05.663: NAT*: s=>, d= [31]
*Mar  1 02:12:05.675: NAT*: o: icmp (, 6) -> (, 6) [31]
*Mar  1 02:12:05.679: NAT*: s=, d=> [31]
*Mar  1 02:12:05.691: NAT*: i: icmp (, 6) -> (, 6) [32]
*Mar  1 02:12:05.691: NAT*: s=>, d= [32]
*Mar  1 02:12:05.707: NAT*: o: icmp (, 6) -> (, 6) [32]
*Mar  1 02:12:05.711: NAT*: s=, d=> [32]
*Mar  1 02:12:05.723: NAT*: i: icmp (, 6) -> (, 6) [33]
*Mar  1 02:12:05.723: NAT*: s=>, d= [33]
*Mar  1 02:12:05.731: NAT*: o: icmp (, 6) -> (, 6) [33]
*Mar  1 02:12:05.735: NAT*: s=, d=> [33]
*Mar  1 02:12:05.751: NAT*: i: icmp (, 6) -> (, 6) [34]
*Mar  1 02:12:05.751: NAT*: s=>, d= [34]
*Mar  1 02:12:05.791: NAT*: o: icmp (, 6) -> (, 6) [34]
*Mar  1 02:12:05.795: NAT*: s=, d=> [34]

As we can see, is being translated to and then passed via IPsec to (SITE2PC) and the same occurs coming back.

However, when attempting to ping 'an internet site' (eg, SITE2's interface on ISP1) its "also" translating the addresses across to

*Mar  1 02:12:19.095: NAT*: i: icmp (, 7) -> (, 7) [35]
*Mar  1 02:12:19.099: NAT*: i: icmp (, 7) -> (, 7) [35]
*Mar  1 02:12:19.099: NAT*: s=>, d= [35]
*Mar  1 02:12:21.091: NAT*: i: icmp (, 7) -> (, 7) [36]
*Mar  1 02:12:21.091: NAT*: s=>, d= [36]
*Mar  1 02:12:23.071: NAT*: i: icmp (, 7) -> (, 7) [37]
*Mar  1 02:12:23.071: NAT*: s=>, d= [37]
*Mar  1 02:12:25.055: NAT*: i: icmp (, 7) -> (, 7) [38]
*Mar  1 02:12:25.055: NAT*: s=>, d= [38]
*Mar  1 02:12:27.071: NAT*: i: icmp (, 7) -> (, 7) [39]
*Mar  1 02:12:27.071: NAT*: s=>, d= [39]

I'm guessing this is definitely the issue - eg, it appears to be attempting to translate ALL traffic from 10.1.1.x to 192.168.40.x (where x be 10 for this test) although it should ONLY be translating 10.1.1.x to 192.168.40.x for traffic destined to or

Needless to say, updating the INTERNAL-OVERLOAD-TO-INTERNET ACL to allow for doesn't work (and I dont believe it should double NAT (NAT to and then NAT overload as

Something to do with the route maps maybe?

Anyone know the differences between using "ip policy route-map" on the internal interface versus "ip nat inside source route-map...." at NAT level?

Obviously, pinging the external interface of SITE1 from SITE1PC (eg, from works fine - however, I can't ping the ISP side of the ISP-SITE1 link (

Your help is VERY much appreciated


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Thu, 05/20/2010 - 22:05
User Badges:
  • Cisco Employee,

Before going further on the actual NAT, I fail to see how your internal subnets on both sites are overlapping.

You have listed the following:

Site 1 LAN:

Site 2 LAN:, but you only need access to

So I don't think the following overlaps: ---> ---> --->

The above 3 subnets do not overlap with each other.

If you otherwise still want to go ahead with the NAT, please let me know and I will look further. Otherwise, I would just keep it simple without the NAT.

justintwiss Fri, 05/21/2010 - 04:08
User Badges:

Hi Halijenn,

My bad and thanks, you're the first person who's picked that up in my posting on any forums.

I meant to show Site 2 LAN actually using rather than /16 - For some reason, when I typed that in I knew it was wrong but couldn't work out how (and given it was late at night here and I'd just spent another 3-4 hours trying various solutions to this before deciding to put it to the forums I think I'll excuse myself )

There is definitely NAT required - even though we're only presented with, the provider on the other side of the IPsec VPN is definitely using IP's within - If they ever present as an IPsec range, things could get interesting but I'd just have to present that /24 as a network NAT (back to SITE2)

Another forum has suggested using route maps rather than the 'lists' in the NAT statements before - My only experience to date (with route-maps in particular) has been with pure IPsec tunnels which require forcing the IPsec traffic to not be natted (and hence routing to a loopback interface to avoid the NAT overload) so I'm currently working my way through Cisco's policy based routing documentation.

Any suggestions from anyone for alteration of the config I'd be very much thankful for - this is all currently running within my lab at the office so we're able to recover from any suggestion, be it wrong or right (or on the right path )

Of course, this is the one piece of hardware they're yet to get SmartNet on so I can't ask TAC for support yet but the quote's on their desk and when I get into the office on Monday (having just come off 3 weeks leave) I'll be getting them to approve it and push the order through...

jesper_petersen Wed, 09/22/2010 - 06:06
User Badges:

Hi Justin

I'm trying to reach the same goal as you, but I've been unable to get there as of yet.

Did you find a solution?

Best regards,



This Discussion

Related Content