crypto map with NAT

Unanswered Question
Mar 8th, 2011

Hi all,

I have this situation, I need to establsih an IPsec communication to another site but I need to identify all my packets sent, as a different networks as my local one. for example: my local network is and I need to sent packets as I suppose that I need to do Nat with this IPs. But in this router Nat is already applied to outbound traffic to Internet. How can I apply this NAT to cryptomap only?

My router is a cisco 877 with 12.4 IOS an this is the relevant configuration, crypto map vpn it´s used tosent traffic to second site.

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address  XX.XX.XX.XX

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

crypto map vpn 1 ipsec-isakmp
set peer XX.XX.XX.XX

set transform-set vpn
match address NET

interfaz  vlan1

ip address

ip nat inside

interface ATM0.1 point-to-point
ip address XX.YY.YY.YY
ip nat outside
ip virtual-reassembly

crypto map vpn

ip nat inside source list 101 interface ATM0.1 overload
ip nat inside source static tcp zz.zz.zz.zz 25 interface ATM0.1 25

ip access-list extended NET

permit ip any
permit ip any

access-list 101 permit ip any any

thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Fri, 03/11/2011 - 13:35


Follow these two examples, disregard the overlaping networks scenario,  just follow the logical  to  accomplish your requirements.

Your LAN IP subnet to be NATed as   for the Ipsec tunnel , when you define interestng traffic in your acl that will be the acl that  will be applied to the crypto map thus applied to the Ipsec tunnel , the other acls will NOT  be applied there.

ip nat inside source static network /24 no-alias

access-list 100 permit ip

crypto map vpn 1 ipsec-isakmp
set peer XX.XX.XX.XX

set transform-set vpn
match address 100 

the far end router/firewall  will need the to allow your NATed  network  in their interresting  traffic acl.


Gustavo Medina Fri, 03/11/2011 - 14:43

Hello Carlos,

First of all, you might wanna change access-list 101 as the permit ip any any will block router services such as ssh, sing ACL for NAT with permit ip any any as you can get unpredictable results. Now, as per your situation we need Policy NAT so we'll do the translation just when going to a specific destination. what I'm saying is this:

access-list 133 permit ip

access-list 133 permit ip

route-map static-vpn
  match ip address 133

ip nat pool NAT-POOL netmask type match-host

ip nat inside source route-map static-vpn pool NAT-POOL reversible

no ip access-list extended NET

ip access-list extended NET

permit ip

permit ip

crypto map vpn 1 ipsec-isakmp

match address NET

Of course at the other site they must mirror the interesting traffic.

Hope this helps.



This Discussion

Related Content