Quite an interesting issue !
Suppose your LAN is 10.10.10.x and your central site is 20.20.20.x
Let's attack NAT first. I will make it simplier putting the ip address from the loopback interface in a "NAT pool". Also we need to make the router aware that for different destinations you need different NATs.
int g1/0 description LAN ip nat inside int loopback 0 ip address 1.1.1.1 255.255.255.0 int g2/0 description INTERNET ip nat outside ip nat pool LOOPBACK-POOL 1.1.1.1 1.1.1.1 netmask 255.255.255.0 ip nat inside source list INTERNET interface g2/0 overload ip nat inside source list CENTRALSITE pool LOOPBACK-POOL overload ip access-list extended INTERNET deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 any deny ip any any ip access-list extended CENTRALSITE permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 deny ip any any |
Now we will attack the VPN issue. NAT generally messes up traditional ACL-based VPNs so I will choose route-based VPN. To do that I will need to create a tunnel interface and make sure to route through the tunnel interface. Also we need configure "ip nat outside" in tunnel interface so we can mix VPN and NAT altogheter. The following is the partial configuration of the VPN.
ip route 20.20.20.0 0.0.0.255 tunnel 0 int tunnel 0 ip nat outside tunnel mode ipsec ipv4 tunnel protection ipsec profile Routed_VPN |
I'm making these config from the top of my head, I didn't have time to prove it so hopefully it' s OK. If you give more information about your topology I could make a lab. Also if you need more info about routed-based vpns you could read this http://packetlife.net/blog/2011/aug/17/policy-based-vs-route-based-vpns-part-2/
Please rate if it helps. Kind regards
