Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec and NAT

Hi,

I have IPSec tunnel from remote location to central location( Cisco 7200). Problem is that remote location is different company and they use some of address range that we also use.

How can I configure NAT translation of their addresses to one address in my range on my router(central location)? If I put "ip nat inside" on interface toward internet I don't think it will work because original packet is encrypted (tunnel ends on loopback interface). And also I don't know if there is the way to put "ip nat inside" on IPSec tunel.

If anyone have idea how to solve this please help.

Thanks,

A

4 REPLIES
Cisco Employee

Re: IPsec and NAT

Antonio -

On your router & on the remote router, you can change the address to a different subnet using the route-map option.

Lets say your network is 172.16.1.0 255.255.255.0 and the remote side network is the same as well. You want to change your network to 192.168.1.0 255.255.255.0 and the remote side to 192.168.2.0 255.255.255.0

On your router,

a. Create an ACL

access-list 100 per ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

b. Create a route-map

route-map CRYPTONAT per 10

match ip add 100

c. Create a static NAT with route-map option

ip nat inside source static 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0 route-map CRYPTONAT

And you have to do this vice versa on the other end.

Let me know if this helps.

Thanks

Gilbert

New Member

Re: IPsec and NAT

Hi Gilbert,

Problem is that I have to do everything on my router (I don't administer the other side and they don't won't do change anything in their config).

Do I put "ip nat inside" on LAN interface and "ip nat outside" on WAN inteface or vice versa?

Thanks,

A

Cisco Employee

Re: IPsec and NAT

Hello Antonio,

You have to put "ip nat inside" on your LAN interface and "ip nat outside" on your WAN interface.

In this case, you have to write an ACL that matches the interesting traffic. If your network is 172.16.1.0/24 and remote network is the same. You cant have the same network as the source on destination on an ACL for crypto. The packets will be routed internally.

Or you can add another router internally before the LAN segment of the 7200 and NAT your network to a different range.

Will that work for you?

New Member

Re: IPsec and NAT

Thanks, It seems I will have to do that way.

regards,

A

119
Views
5
Helpful
4
Replies