Comments on: Cisco – How to configure nat for an IPSec VPN

By: Darko

Darko — Tue, 05 Jul 2011 15:52:20 +0000

Disregard this about private addresses.
My bad.
Only correction needed is with ip nat command. After that , everything works as intended.

Best regards.

By: Darko

Darko — Mon, 04 Jul 2011 15:12:29 +0000

There is an error in configuration :

router(config)#ip nat source route-map POLICY-NAT interface s0/0 overload

Insted it should be :

router(config)#ip nat inside source route-map POLICY-NAT interface s0/0 overload.

This way when you ping from 192.168.1.0 subnet to any address except toward subnet 192.168.2.0 , inside address will be NATed into 12.34.56.2 and there will be response traffic.

But with this configuration private address space addresses from subnet 192.168.1.0 and 192.168.2.0 will be sent over link which should not happen in real world.

By: Josh

Josh — Sat, 25 Jun 2011 05:30:27 +0000

Hello Geeshan,

Please post the route-map and acces-list configs.

Josh

By: Geeshan

Geeshan — Tue, 21 Jun 2011 16:31:50 +0000

I am having a problem as well.

The issue I am having has to do with outbound traffic from the nat entry.

router(config)#ip nat source route-map POLICY-NAT interface s0/0 overload
router(config)#
router(config)#ip nat inside source static tcp 192.168.1.10 25 12.34.56.2 25 route-map POLICY-NAT extendable

Using the above example, my issue is when you do route-map, it works over the VPN but the outgoing traffic routes through the IP assigned to S0/0, instead of the 12.34.56.2 IP address.

How would I get the static entry to work over VPN AND route outbound traffic over the static IP assigned, oppose to the overload entry.

By: SP

SP — Tue, 31 May 2011 14:01:05 +0000

Hello All,

I have a situation where there is customer router behind the ce router on both sides.Ipsec tunnel between these two routers and my ce router are doing natting.
connection given below:

customer rtr1 – ce1 – pe1 – cloud – pe2- ce2- customer rtr2

i am constatntly geting following mesg on both the customer routers:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x

Please can anyone let me know if they have configured any similar scenario? Any idea what teh above error means ?

By: joky

joky — Wed, 02 Feb 2011 13:00:01 +0000

I would also like to know, if it is possible to NAT to a different IP when going into VPN tunnel than when going to the internet. Not just disable source NAT for VPN tunnel, but NAT it into something different. I owe you a beer if you provide me with a solution.

Best regards

By: uday

uday — Mon, 10 Jan 2011 09:35:07 +0000

Hi this is kiran help me i problem on cisco router 2800.One ISP With Multipl pubil IP Address.How to Config help me please please

By: HPR

HPR — Mon, 29 Jun 2009 13:36:15 +0000

HI
is it posible to configure NAT for trafic intended for the IPSEC tunnel…
I want to hide my inside ip but route trafik inside an IPSEC tunnel over the internet.
The reciver must only see 1 IP from my nat pool

By: Dmitry

Dmitry — Wed, 27 May 2009 14:27:35 +0000

Forgot to stress that marker points to the route-map command.

By: Dmitry

Dmitry — Wed, 27 May 2009 14:22:15 +0000

Hi Josh,

thank you very much for the useful video.

But what if you need translate (PAT) some public port to the inside one?

ip nat inside source static tcp 192.168.10.2 3389 interface fastEthernet4 23389 route-map nonat

% Invalid input detected at ‘^’ marker.

OS 12.4(T4) CISCO 877

Regards,
Dmitry