cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
5
Helpful
15
Replies

NAT over IPSec tunnel on destination router not working

david.wang
Level 1
Level 1

We'd like to nat the source private IP from our AWS end over IPSec VPN tunnel on another end, which is Cisco CSR 1000v router, here is the diagram. IPSec VPN is configured with route-based via tunnel interface with AWS end, we'd like to nat 10.251.15.102 to 189.40.1.x on CSR1000v when it reaches node1 (10.15.25.23) sitting behind the customer CE router which default gateway is set to 189.40.1.3 and untouchable,

here is setting on CSR1000v in terms of natting:

int tunnel1

ip nat inside

int GigabitEthernet2.3217

ip add 189.40.1.1 255.255.255.240

ip nat outside

ip access-list extended NATList

permit ip 10.251.15.0 0.0.0.255 any

ip nat inside source list NATList interface GigabitEthernet2.3217 overload

no natting triggerred at all after above setting:

sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
GigabitEthernet2.3217
Inside interfaces:
Tunnel1
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 8] access-list NATList interface GigabitEthernet2.3217 refcount 0

davidwang_1-1706667216395.png

any assistance is appreciated.

 

15 Replies 15

If you want same IP to NAT to different mapped ip if the destiantion is different then you can use what we called conditional static NAT'

The core of this type of NAT is use route-map with NAT match ip extended acl.

Thanks 

MHM