Cisco IPsec S2S tunnel no NAT question

Patrik Nechajev · ‎11-01-2022

Hello all,

i ran into a strange issue (at least for me). Like a half year ago customer asked me for fast configuration of their new ISR 1100. I have configured basic things and NAT for users. However in a hurry i have used standard acl which looks like this:

ip access-list standard LAN
permit ip 192.168.0.0 0.0.255.255

Now they asked me to build s2s ipsec tunnel. My question is how to implement no NAT when standard ACL is in place (overloading WAN interface) and i cannot delete it and replace it with extended ACL. Can i leave standard ACL how it is and add another ACL with no NAT and overload WAN interface again?

current state:
ip access-list standard LAN
permit ip 192.168.0.0 0.0.255.255

ip nat inside source list LAN interface gig 0/0 overload

with no nat for ipsec traffic:

ip access-list standard LAN
permit ip 192.168.0.0 0.0.255.255

ip access-list extended NoNAT
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

ip nat inside source list LAN interface gig 0/0 overload
ip nat inside source list NoNAT interface gig 0/0 overload

Will this work?
Thank you and have a nice day!

MHM Cisco World · ‎11-01-2022

answer for all your Q
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/23820-ios-pat-ipsec-tunnel.html

Patrik Nechajev · ‎11-01-2022

Thank you for the link, but i'm not sure if i found answer in it. Could you please describe in more detail? I think this is not what i'm looking for.

Richard Burts · ‎11-01-2022

Depending on how you build your s2s ipsec tunnel it is quite possible that the source address may not be the LAN subnet and there is no issue about NAT. Can you share some details about how you plan to implement the s2s ipsec tunnel?

HTH

Rick

Patrik Nechajev · ‎11-01-2022

Hello Richard, there are some VLANs on both sides and customer needs to implement s2s ipsec tunnel between two local subnets:

Site A 192.168.10.0/24, Site B 192.168.20.0/24

I just plan to implement standard ipsec ikev2 tunnel but i need to do no NAT, as i mentioned standard acl is currently in place for overloading. So i just would like to know if there is possibiliity to combine two acl and use two overloads on same WAN interface. I cannot disable NAT and delete current standard acl...

Thank you.

MHM Cisco World · ‎11-02-2022

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13778-9.html

Static NAT + Dynamic NAT
have two approach
1- using deny in ACL of Dynamic NAT to exclude IP of static NAT
this approach is use only when you want server to only use static NAT and never use dynamic

2- not using deny in ACL of Dynamic NAT
this approach is work and it allow Server (in your case the IPSec Peer) to both using static NAT and dynamic NAT
example above list how you can use both NAT in same time without using deny in ACL and this what you want because in this case you will not change/modify your OLD standard ACL