Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IPSec tunnel and policy NAT question

Hello All!

I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:

1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end

2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address

I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.

Here is the configuration

Remote end  crypto interesting ACL:

ip access-list extended crypto-interesting-remote

permit ip host host

My end configuration:

interface GigabitEthernet0/0

ip address yyy.yyy.yyy.yyy

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map VPN

ip access-list extended crypto-interesting-local

permit ip host host

interface GigabitEthernet0/3

ip address

ip nat inside

ip virtual-reassembly in

speed auto

ip nat inside source static   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)

ip nat outside source static (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)

ip route gigabitethernet 0/0

ip route

All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?

Any response highly appreciated!


New Member

IPSec tunnel and policy NAT question

Figured that out.

The problem was in route

ip route gigabitethernet 0/0

should be next-hop IP address instead of interface gigabitethernet0/0

Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with ip address on the outside

CreatePlease to create content