08-31-2010 06:36 PM - edited 03-04-2019 09:37 AM
Hi,
Given the following setup: Router A connected to router B with VPN enabled between both routers for all traffic. The vpn endpoint on router B is int f0/0. Now let's say i wish to enable nat for all IP traffic coming from int f0/0 of router B so that it will be natted when it goes out its int f1/0, is this option feasible? Is it possible to enable both vpn and nat on the same int, in this case f0/0? I am thinking that this may not work since the nat process on int f0/0 will not see any traffic since it is encrypted when it enters the int. A solution i am thinking would be to create a tunnel interface on both routers A and B and configure "ip nat inside" on the tunnel interface of router B.
Would really appreciate your expert thoughts on this.
Thank in advance.
08-31-2010 06:56 PM
Am thinking that maybe i should just configure the vpn for transport mode to avoid the added load of setting up a gre tunnel.
Would appreciate anyone's expert opinion on this.
Thanks.
09-01-2010 03:51 AM
Hi,
It is ok to have crypto-map and nat on same interface. The router will decrypt first and then nat.
HTH,
Lei Tian
09-01-2010 04:34 PM
This Cisco document is a great resource for determining the order events occur in regard to NAT, ACL, Rate-Limit, IPSEC, etc.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: