In previous tutorials, I showed you how to configure a branch office ipsec vpn and  how to configure nat overload on an internet router. This tutorial will combine the two.



Traffic destined for the VPN tunnel cannot be natted. It needs to travel through the vpn tunnel untranslated. A special nat configuration must be used to prevent vpn "interesting" traffic from being translated while still translating normal internet bound traffic.

There are two ways to prevent outbound VPN traffic from being translated ( access-list or route-map ) but only one way for inbound traffice ( route-map ) .   I prefer to use a route-map because I only have to build the route-map configuration once and it can be used for both inbound and outbound nat statements.



Here is the short list of commands

router#config t
router(config)#ip access-list extended NAT
router(config-ext-acl)#deny ip 192. 168. 1. 0 0. 0. 0. 255 192. 168. 2. 0 0. 0. 0. 255
router(config-ext-acl)#permit ip any any
router(config)#route-map POLICY-NAT 10
router(config-route-map)#match ip address NAT
router(config)#ip nat source route-map POLICY-NAT interface s0/0 overload
router(config)#ip nat inside source static tcp 192. 168. 1. 10 25 12. 34. 56. 2 25 route-map POLICY-NAT extendable
router(config)#interface f1/0
router(config-if)#ip nat inside
router(config-if)#interface s0/0
router(config-if)#ip nat outside
router# copy run start


This static nat part was not shown in the video tutorial but the command is listed above. The above example translates smtp traffic for public ip address 12. 34. 56. 2 to internal server 192. 168. 1. 10.

