Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


I'm having a hard time getting this to work. I know exactly what the problem is, I just don't know of a decent workaround. I have a 3620 which is at my corporate office. On the LAN side of that router is our trusted, private network. That router provides NAT services to everyone on it's LAN side -- employee workstations. The WAN side connects into my core. Via the core, you hit the mail servers, other servers and also the internet is reached by traversing the core.

The problem is that I want to setup this 3620 to terminate IPSec VPNs via the VPN Client as well. Setting up the VPNs aren't the problem, the problem is NAT. FE0/0 is the WAN side of the 3620 -- ip nat outside. FE0/1 is the LAN side of the 3620 -- ip nat inside. The problem is that the IPSec Clients come in on FA0/0 (via the core) and get an RFC1918 address from a pool. This IP is not routable through the rest of the core so they need to be natted to reach the mail servers and other company assets. That can't be done because that interface (FE0/0 or the WAN interface) is already configured with ip nat outside.

The only workaround I can see is to setup vlans on FA0/0. vlan 10 would be the WAN vlan with ip nat outside, vlan 20 would be the IPSec vlan with ip nat inside and FA0/1 would have no vlans -- rather it would just be the interface connected to the workstations in the office.

Oh, I'm also using IPSec redundancy via HSRP to add a little more complexity to it. If I wasn't, I could use loopbacks but then I have no redundancy, rather manual switchover between servers by the clients, which sucks! :(

I'm pretty sure this VLAN workaround would work, but I'm hoping there is a more elegant solution than configuring VLANs all over the place. I'm hoping there is a configuration switch somewhere that takes this sort of configuration into account.

I could redistribute the RFC1918 space assigned to IPSec users into my IGP and in turn throughout my core so it would no longer require natting, but that takes away from some of the security, no?

Thanks for your thoughts, pros...


Re: IPSec & NAT

I think this might do the trick, try configuring dynamic NAT.

For sample config check the following URL