Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
5
Replies

Cisco IPsec S2S tunnel no NAT question

Patrik Nechajev
Level 1
Level 1

‎11-01-2022 01:42 PM

Hello all,

i ran into a strange issue (at least for me). Like a half year ago customer asked me for fast configuration of their new ISR 1100. I have configured basic things and NAT for users. However in a hurry i have used standard acl which looks like this:

ip access-list standard LAN
permit ip 192.168.0.0 0.0.255.255

Now they asked me to build s2s ipsec tunnel. My question is how to implement no NAT when standard ACL is in place (overloading WAN interface) and i cannot delete it and replace it with extended ACL. Can i leave standard ACL how it is and add another ACL with no NAT and overload WAN interface again?

current state:
ip access-list standard LAN
permit ip 192.168.0.0 0.0.255.255

ip nat inside source list LAN interface gig 0/0 overload

with no nat for ipsec traffic:

ip access-list standard LAN
permit ip 192.168.0.0 0.0.255.255

ip access-list extended NoNAT
deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

ip nat inside source list LAN interface gig 0/0 overload
ip nat inside source list NoNAT interface gig 0/0 overload

Will this work?
Thank you and have a nice day!

 

 

Labels:
0 Helpful
5 Replies 5

Patrik Nechajev
Level 1
Level 1
In response to MHM Cisco World

‎11-01-2022 02:31 PM

Thank you for the link, but i'm not sure if i found answer in it. Could you please describe in more detail? I think this is not what i'm looking for.  

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Patrik Nechajev

‎11-01-2022 08:22 PM

Depending on how you build your s2s ipsec tunnel it is quite possible that the source address may not be the LAN subnet and there is no issue about NAT. Can you share some details about how you plan to implement the s2s ipsec tunnel?

HTH

Rick
0 Helpful

Patrik Nechajev
Level 1
Level 1
In response to Richard Burts

‎11-01-2022 10:34 PM

Hello Richard, there are some VLANs on both sides and customer needs to implement s2s ipsec tunnel between two local subnets:

Site A 192.168.10.0/24, Site B 192.168.20.0/24

I just plan to implement standard ipsec ikev2 tunnel but i need to do no NAT, as i mentioned standard acl is currently in place for overloading. So i just would like to know if there is possibiliity to combine two acl and use two overloads on same WAN interface. I cannot disable NAT and delete current standard acl...

Thank you.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Patrik Nechajev

‎11-02-2022 01:38 AM

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13778-9.html

 

Static NAT + Dynamic NAT 
have two approach 
1- using deny in ACL of Dynamic NAT to exclude IP of static NAT 
this approach is use only when you want server to only use static NAT and never use dynamic 

2- not using deny in ACL of Dynamic NAT 
this approach is work and it allow Server (in your case the IPSec Peer) to both using static NAT and dynamic NAT 
example above list how you can use both NAT in same time without using deny in ACL and this what you want because in this case you will not change/modify your OLD standard ACL 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card