Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

IPSec site-to-site with Nat Overload

Dears,

i am a little bit confused when configuring IPSec site-to-site with Nat Overload. I have two questions:

1- I need to know the order of operations between NAT overload (including either an ACL or a route-map) and crypto map (including an ACL). For example

if i have the following example:

access-list 101 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 102 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 102 permit ip any any

crypto map cmap1 1 ipsec-isakmp

match address 101

route-map rmap1 permit 1

match ip address 102

ip nat inside source route-map rmap1 interface s0/0 overload

int s0/0

crypto map cmap1

And if i make a ping from 1.1.1.2 to 2.2.2.2, how will the icmp packets treated by the router

Also if did not add the deny entry in the access-list 102, how will the icmp packets treated by the router

2- What is the difference between using route map and ACL in NAT overload:

ip nat inside source route-map rmap1 interface s0/0 overload

ip nat inside source list 102 interface s0/0 overload

Your help is really appreciated

Best regards,

Moustafa

1 REPLY

Re: IPSec site-to-site with Nat Overload

151
Views
0
Helpful
1
Replies
CreatePlease to create content