Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1140
Views
5
Helpful
15
Replies

NAT over IPSec tunnel on destination router not working

david.wang
Level 1
Level 1

ā€Ž01-30-2024 06:59 PM - edited ā€Ž01-30-2024 11:00 PM

We'd like to nat the source private IP from our AWS end over IPSec VPN tunnel on another end, which is Cisco CSR 1000v router, here is the diagram. IPSec VPN is configured with route-based via tunnel interface with AWS end, we'd like to nat 10.251.15.102 to 189.40.1.x on CSR1000v when it reaches node1 (10.15.25.23) sitting behind the customer CE router which default gateway is set to 189.40.1.3 and untouchable,

here is setting on CSR1000v in terms of natting:

int tunnel1

ip nat inside

int GigabitEthernet2.3217

ip add 189.40.1.1 255.255.255.240

ip nat outside

ip access-list extended NATList

permit ip 10.251.15.0 0.0.0.255 any

ip nat inside source list NATList interface GigabitEthernet2.3217 overload

no natting triggerred at all after above setting:

sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
GigabitEthernet2.3217
Inside interfaces:
Tunnel1
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 8] access-list NATList interface GigabitEthernet2.3217 refcount 0

davidwang_1-1706667216395.png

any assistance is appreciated.

 

Labels:
15 Replies 15

MHM Cisco World
VIP
VIP
In response to david.wang

ā€Ž02-14-2024 09:22 PM

If you want same IP to NAT to different mapped ip if the destiantion is different then you can use what we called conditional static NAT'

The core of this type of NAT is use route-map with NAT match ip extended acl.

Thanks 

MHM

Customers Also Viewed These Support Documents