vpn with nat query

marcusbrutus · ‎08-31-2010

Hi,

Given the following setup: Router A connected to router B with VPN enabled between both routers for all traffic. The vpn endpoint on router B is int f0/0. Now let's say i wish to enable nat for all IP traffic coming from int f0/0 of router B so that it will be natted when it goes out its int f1/0, is this option feasible? Is it possible to enable both vpn and nat on the same int, in this case f0/0? I am thinking that this may not work since the nat process on int f0/0 will not see any traffic since it is encrypted when it enters the int. A solution i am thinking would be to create a tunnel interface on both routers A and B and configure "ip nat inside" on the tunnel interface of router B.

Would really appreciate your expert thoughts on this.

Thank in advance.

marcusbrutus · ‎08-31-2010

Am thinking that maybe i should just configure the vpn for transport mode to avoid the added load of setting up a gre tunnel.

Would appreciate anyone's expert opinion on this.

Thanks.

Lei Tian · ‎09-01-2010

Hi,

It is ok to have crypto-map and nat on same interface. The router will decrypt first and then nat.

HTH,

Lei Tian

gatlin007 · ‎09-01-2010

This Cisco document is a great resource for determining the order events occur in regard to NAT, ACL, Rate-Limit, IPSEC, etc.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Chris