Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT over ipsec VPN

Hello Cisco Pros,

I have a router with a single internet-routable IP address, and an ipsec VPN connection via a Tunnel0 interface. I'd like to setup NAT through the router such that traffic arriving from anywhere on the Internet on port 80 goes to a different host across the ipsec VPN on port 8080. I've tried a lot of different configuration examples, and can't seem to get it right. Is this at all possible?

I've tried:

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

ip nat inside

interface FastEthernet 1/0

ip address 12.34.56.78 255.255.255.252

ip nat outside

ip nat inside source static tcp 192.168.1.2 8080 12.34.56.78 80

(where 192.168.1.2 is a host across the VPN tunnel, and 12.34.56.78 is the external IP address of F1/0)

Nothing I'm trying is working. Thanks for your suggestions!

7 REPLIES
Bronze

Re: NAT over ipsec VPN

Could you break down your issue using IP addresses? From which interface packets enter and exit?

New Member

Re: NAT over ipsec VPN

Sure, packets will enter through the F1/0 interface, and will be destined for 12.34.56.78 (or a similar IP if I cannot use F1/0's address). I'd then like to NAT the traffic using Tunnel0's IP address.

So It works like this:

Internet User --> 12.34.56.78:8080 --> goes through vpn to 192.168.1.2:80.

Hope this makes sense.

Bronze

Re: NAT over ipsec VPN

What is the source address of tunnel0? Are you are sourcing tunnel from f1/0?

New Member

Re: NAT over ipsec VPN

Yes, I am sourcing it from F1/0:

I can change where traffic is sourced from, if necessary. I just need Internet users to be NAT'ted over the IPsec VPN tunnel somehow.... Thanks!

interface Tunnel0

ip address 192.168.1.1 255.255.255.252

ip nat inside

ip virtual-reassembly

tunnel source 12.34.56.78

tunnel destination 23.45.67.89

tunnel mode ipsec ipv4

tunnel protection ipsec profile P1

Bronze

Re: NAT over ipsec VPN

I think that's the reason why it's not working right now. Here 'ip nat inside' and 'ip nat outside' are virtually present on the same physical interface f1/0.

Is it possible for you to use Tunnel source as interface other than f1/0?

New Member

Re: NAT over ipsec VPN

Sure, I also have a F1/1 interface I could use. Let me try that and see if it fixes anything. Thanks for your replies!

New Member

Re: NAT over ipsec VPN

I have a host on the other side of the VPN tunnel. I do not want this host to see the true source of the outside global host. No matter how I set up NAT, the outside global's source IP always comes through to my inside local host.

How (using NAT), can I have traffic from an Internet host flow through the router, so that my inside host only sees an IP request coming from the router?

Thanks!

161
Views
5
Helpful
7
Replies
CreatePlease login to create content