IPsec VPN with Static Nat and Route-Maps

mbroberson1 · ‎12-15-2007

I am trying to setup a site to site vpn with a vendor. Om my end I have a Cisco 3825 router running 12.4 IOS. I am doing static nat translations for 3 internal hosts. I have been trying to test this in my lab, but am running into some issues. When I setup the VPN with the static nat translations it works just fine I I only use 1 host, I have encaps and decaps and the vpn is great, but when I use more that 1 hosts I have issues with the VPN not working properly. I am also using a route-map that calls my static nat translations and ACL's. I am attaching a config from my lab of both test routers.

smahbub · ‎12-21-2007

To configure static NAT with the route-map option, issue the ip nat inside source static local-ip global-ip route-map map-name command from global configuration mode. Identify the NAT inside and outside interfaces by issuing the ip nat inside command and the ip nat outside command under the specific interface configuration mode. The route-map should be configured to match the specific traffic that needs to be translated by issuing the match command.

For example, a router connects to the Internet through interface serial 0 and is connected through interface serial 1 to a partner network which uses the 192.168.1.0/24 address space. The LAN interface of the router is connected to the corporate inside network which belongs to the 10.0.0.0/8 network. The requirement is that an inside host 10.1.1.1, which could be a mail server, should be translated to address 209.165.201.1 when communicating with the Internet. The same host should be translated to the 172.16.1.1 address when communicating with the partner network. This is the relevant configuration on the router:

interface Ethernet0

ip address 10.1.1.100 255.0.0.0

ip nat inside