I have IPSec tunnel from remote location to central location( Cisco 7200). Problem is that remote location is different company and they use some of address range that we also use.
How can I configure NAT translation of their addresses to one address in my range on my router(central location)? If I put "ip nat inside" on interface toward internet I don't think it will work because original packet is encrypted (tunnel ends on loopback interface). And also I don't know if there is the way to put "ip nat inside" on IPSec tunel.
If anyone have idea how to solve this please help.
On your router & on the remote router, you can change the address to a different subnet using the route-map option.
Lets say your network is 172.16.1.0 255.255.255.0 and the remote side network is the same as well. You want to change your network to 192.168.1.0 255.255.255.0 and the remote side to 192.168.2.0 255.255.255.0
On your router,
a. Create an ACL
access-list 100 per ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
You have to put "ip nat inside" on your LAN interface and "ip nat outside" on your WAN interface.
In this case, you have to write an ACL that matches the interesting traffic. If your network is 172.16.1.0/24 and remote network is the same. You cant have the same network as the source on destination on an ACL for crypto. The packets will be routed internally.
Or you can add another router internally before the LAN segment of the 7200 and NAT your network to a different range.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...