Link to home
Start Free TrialLog in
Avatar of cavacamite
cavacamite

asked on

Cisco ipsec vpn with NAT'ed address

Hello,
I have to create a site-to-site ipsec vpn with the local address nat'ed before going over the tunnel. Would this config work? Any advice greatly appreciated. Thanks.

access-list 120 remark ACL for VPN traffic
access-list 120 remark host 192.168.a.b NAT'ed to 12.a.b.c
access-list 120 permit icmp host 12.a.b.c host 192.168.v.w
access-list 120 permit tcp host 12.a.b.c host 192.168.v.w eq ftp

crypto isakmp key presharedkey address 135.l.m.n
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mycryptomap 20 ipsec-isakmp
set peer 135.l.m.n
set transform-set myset
match address 120
reverse-route static


access-list 121 remark ACL for mymap route map
access-list 121 permit ip host 192.168.a.b host 192.168.v.w

route-map myroutemap permit 10
      match ip address 121

ip nat inside source static 192.168.a.b 12.a.b.c route-map myroutemap

Int fa0/0
      ip add 12.a.b.g 255.255.255.0
      ip nat outside
      
Int f0/1
      ip add 192.168.a.g 255.255.255.0
       ip nat inside
      crypto-map mycryptomap

addendum:
the vpn device on my side is a 2801 router with  Version 12.3(14)T2
the host most only be NAT'ed for traffic to that single remote host. No NAT for VPN traffic to other networks.
Avatar of cavacamite
cavacamite

ASKER

Sorry... the vpn device on my side is a 2801 router with  Version 12.3(14)T2. Thanks.
Avatar of suggestionstick
suggestionstick
Flag of Australia image
Hi


snippet from

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml

IPsec NAT TransparencyThe IPsec NAT Transparency feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Point Address Translation (PAT) points in the network by addressing many known incompatibilities between NAT and IPsec. NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router that runs Cisco IOS Software Release 12.2(13)T and later. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated.



Avatar of cavacamite
cavacamite

ASKER

Thanks for the link.
What I'm trying to verify is if the route map config will work so that the NAT'ed address forms the tunnel for traffic only to that remote host and not NAT traffic for other VPN connections.
ASKER CERTIFIED SOLUTION
Avatar of cavacamite
cavacamite
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial