Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT - IPSEC preference


We are using 3845 router with 2 eth ports for IPSEC tunnel formation. Traffic arrives or leaves from Gig0/0 is enrypted. Crypto map is applied on gig0/0. (Traffic defined by Access-lists.) Then traffic is routed to Giga0/1 for further routing. This is working ok.

But now we are facing a problem as we are required to do Dest-NAT on these packets. When packets are arrived on Giga0/0 those should be decrypted first and then those should be Dest-Nated. That is after decryption has taken place we will replace the destination address in the packet and then route those packets to gig0/1. When the reply will come to these packets router shoud first do the nating and then encrypt and then route those out from Giga 0/0.

If the sequence is correct then only those packets will be encrypted.

As the packets to be encrypted or decrypted is decided by access-list. And all access lists are configured with existing IP addressing sceme it is not possible to change. So we have come up to new option of NAT. In short it will look like following

packet coming from outside world with destination as A.b.C.D is received on Gigi0/0 --> as per access list it matches the ip address Destination A.B.C.D then it is de-crypted. ----> then sent to Gigi0/1 for further routing. This is ok.

What we are looking for is some thing like this.

Packet comes from world with destination address A.B.C.D , it is received on Giga 0/0 ---> Access list is matched so a packet is decrypted ---> now change Destination IP address pf packet from A.B.C.D to new IP address as P.Q.R.S and then route it to Giga 0/1 for further routing. Similar when packet is coming back ( source and destination address swapped ) on Giga 0/1 ---> Replace Source Address by A.B.C.D --> Then this packet will match access-list and then it will be encrypted and will be sent from where is came from i.e to giga0/0. So in all this preference is important. if ip nat inside or outside are applied on interfaces and also crypto map is applied on Gig 0/0 which will take preference or can we configure it as the way we what.

Thanx in advance


Hall of Fame Super Blue

Re: NAT - IPSEC preference

Hi Subodh

I think this document should help you. It defines the order of NAT processing for both outbound and inbound traffic flows.



CreatePlease to create content