Bidirectional NAT site to site vpn

mihai.vasc · ‎04-19-2021

Hi guys,

I have the following scenario: Site to Site vpn with NAT configured on local cisco router like bellow (remote network not managed by me)

Outgoing vpn traffic is overload NAT-ed

ip nat pool NAT_POOL 10.62.15.67 10.62.15.68 netmask 255.255.255.240

ip nat inside source list ACL_NAT_OUT pool NAT_POOL overload

ip access-list ext ACL_NAT_OUT

permit ip 10.1.48.0 0.0.0.255 10.141.165.0 0.0.0.255

Incoming traffic for local host 10.1.48.37 is NAT-ed like

ip nat inside source static 10.1.48.37 10.62.15.83 route-map RM_NAT_STATIC extendable reversible

ip access-list ext ACL_NAT_STATIC

permit ip host 10.1.48.37 10.141.165.0 0.0.0.255

route-map RM_NAT_STATIC permit 10
match ip address ACL_NAT_STATIC

Once I configure the incoming one to one NAT, the outbound traffic from local host 10.1.48.37 to remote host 10.141.165.22 is not working anymore.

Can you please tell me what is wrong?

Thanks

paul driver · ‎04-19-2021

Hello
Not quite what you are trying to accomplish here, you mention bi-directional nat and show a static nat route-map statement, which based on source/destination traffic flow, Which probably isn't necessary, as by default any static nat/pat statements are bi-directional anyway, However what is incorrect is the inside global addressing allocated for the static nat -10.62.15.83, which isn't in the same subnet as the inside global addressing of the nat pool. - 10.62.15.64/28

so if you are wanting to use 10.62.15.83 then it needs to be reachable externally to your rtr

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎04-19-2021

please draw what you want if you can ?