Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT with VPN

Okay I hope I can sound straight forward with this question.  I have site to site VPN setup with a client. This is my ipsec gateway 199.178.216.5 (outside interface).  I gave them encryption domain of 199.178.216.5. Here is what my nat command statements look like:

nat-control

global (outside) 1 199.178.216.100

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

My question is does the VPN tunnel nat to 199.178.216.100?  Can I make global (outside) 1 199.178.216.5 for just this tunnel?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

NAT with VPN

yes you can..

You can configure policy NAT.

For example, your local subnet is 10.10.10.0/24, and remote subnet is 192.168.10.0/24, and you would like to NAT your local subnet of 10.10.10.0/24 to 199.178.216.5.

access-list nat-to-clientvpn permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 2 access-list nat-to-clientvpn

global (outside) 2 199.178.216.5

Then "clear xlate" after the above changes.

Assuming that the traffic is always initiated from your end to access the remote end. The remote end can't initiate a connection towards your end.

5 REPLIES
Super Bronze

NAT with VPN

yes you can..

You can configure policy NAT.

For example, your local subnet is 10.10.10.0/24, and remote subnet is 192.168.10.0/24, and you would like to NAT your local subnet of 10.10.10.0/24 to 199.178.216.5.

access-list nat-to-clientvpn permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 2 access-list nat-to-clientvpn

global (outside) 2 199.178.216.5

Then "clear xlate" after the above changes.

Assuming that the traffic is always initiated from your end to access the remote end. The remote end can't initiate a connection towards your end.

New Member

Re: NAT with VPN

Thanks to everyone that helped!!!

New Member

Re: NAT with VPN

This is what you will need:

Assuming your local subnet is 192.168.10.0/24 and remote subnet is 192.168.20.0/24

create acl

acl policy_nat_acl extended permit ip 192.168.10/0/24  to 192.168.20.0/24

nat (inside) 2 access-list policy_nat_acl

global (outside) 2  199.178.216.100

crypto acl in crypto map will be

acl crypto_acl permit ip host 199.178.216.100 to 192.168.20.0/24

make sure that traffic from

192.168.10.0/24 to 192.168.20.0/24 is NOT a part of nat excemption acl

Only your side will be able to initiate the tunnel.

New Member

NAT with VPN

One more question; can I have another VPN tunnel nat to the same address 199.178.216.5?  When I try to add the following statement: nat (inside) 2 access-list nat-to-newvpntunnel I get this message "Only one access-list can be associated with each Nat ID"

Super Bronze

NAT with VPN

You can just use the existing access-list and add another acl line.

If your existing NAT acl is called "nat-to-clientvpn", just add another line with the same name for the other VPN tunnel.

488
Views
0
Helpful
5
Replies