Hi.

I'm having some problem with source address with NAT of this configuration

lan (192.168.18.0/24) ----- (192.168.18.1) Router (217.x.150.130 /248) ----- inet gw

It's possible to use only 2 ip addresses from 217.x.150.130 /248 network.

I want to nat overload .130 to all lan, use it to connect to router and map some ports from it to lan hosts.

Map full ip .131 to host 192.168.18.4.

I'm using IPSec VPN to other lans too, so here is route-map

interface FastEthernet0/0
 description INET
 ip address 217.x.150.130 255.255.255.248
 ip nat outside
 crypto map CISCO
interface FastEthernet0/1
 description LAN
 ip address 192.168.18.1 255.255.255.0
 ip nat inside
ip nat inside source list 175 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.18.3 3389 217.x.150.130 3389 route-map POLICY-NAT extendable
ip nat inside source static 192.168.18.4 217.x.150.131 route-map POLICY-NAT
access-list 175 deny   ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 175 deny   ip 192.168.18.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 175 permit ip 192.168.18.0 0.0.0.255 any
route-map POLICY-NAT permit 10
 match ip address 175

Ok, i'm get outgoing connection from lan's hosts from public ip .130, and have incoming connections to public .131 going to .18.4. But outgoing connections from .18.4 are going from .130, not from .131. Why?

rk2811#sh ip nat translations | include 18.4
udp 217.x.150.130:123    192.168.18.4:123       85.21.78.91:123       85.21.78.91:123
--- 217.x.150.131        192.168.18.4           ---                   ---

When i'm edit nat mapping of .131 to

ip nat inside source static 192.168.18.4 217.x.150.131

(remove policy-map) then i get outgoing ip address .131 like it should be, but host .18.4 becomes unavialable from another end of IPSec VPN (because its answers go to NAT instead of IPSec tunnel)

So here is the question - how to get right outgoung ip addess when  using ip nat inside source static & route-map?

Thanks. (c2800nm-adventerprisek9-mz.124-21)