Router-to-router IP Security (IPSec) Virtual Private Networks (VPNs) are used to protect site-to-site data transfer over public networks. The site-to-site traffic that needs to be protected is tunneled by the router on the edge of the network to its remote IPSec peer.
Edge routers are also configured for network or Port Address Translation (PAT) to assign globally unique, routable addresses to devices with private IP addresses. Network Address Translation (NAT) and IPSec might be needed together on a device when the same link is used for reaching the Internet as well as remote branches of the corporate network. While address translation of non IPSec-protected data is necessary, the IPSec protected data can be allowed through without address translation.
IPSec traffic can be exempted from address translation with route maps. For example, to allow IPSec-protected traffic between the private network 10.10.10.0/24 and remote site network 10.10.12.0/24 to pass through without address translation, perform these steps:
Define an Access Control List (ACL) and choose the keyword deny for all IPSec protected traffic. To define the ACL, issue the access-list command in global configuration mode, as shown in this output:
access-list 110 deny ip 10.50.50.0 0.0.0.255 10.103.1.0 0.0.0.255
access-list 110 permit ip 10.50.50.0 0.0.0.255 any
This ACL denies traffic between networks 10.10.10.0/24 and 10.10.12.0/24, which is IPSec encrypted, while permitting traffic to all the other networks.
Define a route map and bind the ACL to it by issuing the match command.
To define the route map, issue the route-map command in global configuration mode and match the command in route-map configuration mode, as shown in this output:
route-map map1 permit 10 match ip address 110
To specify the inside addresses that need to be translated, issue the route-map command in the ip nat inside source command, as shown in this command:
ip nat inside source route-map map1 interface Ethernet0 overload
The ip nat inside source command issues the route-map map1 command to determine which inside addresses need to be translated. The route-map map1 command uses access-list 110, which is configured with the keyword deny for traffic between the two private networks being IPSec-protected. The IPSec-protected traffic is not address translated. However, the traffic from the private network that goes on to the Internet is port address translated to the address on the Ethernet interface.