Hi Jon

Well I need to NAT first because of the overlap on the remote end, then because its going over the VPN a NAT exempt also has to exsist right?

The only other NAT currently is to translate inside interface to a public IP on the outside interface.. 

do you mean i wouldn't need a NAT exempt and to just do the NAT and apply it prior to the other NAT rules?

The connection will be initiated from both sides, but the remote side will be using the address i NAT to (since they are aware of the overlap)

if so can you please post the config of the NATs , this version is really confusing.

If you need to NAT over the VPN tunnel you don't then need a NAT exemption.

It is one or the other and usually it is a NAT exemption which is probably why you think you need it.

So at the moment you existing NAT rule would NAT 10.1.1.1 to the outside interface, is that what you are saying ?

And you want that to remain for general internet access but for this specific VPN tunnel you want 10.1.1.1 to be translated to 20.2.2.2.

Is that correct ?

Jon

Hi Jon

Thanks again, I think your right, usually I do NAT exempt but thats with VPN's that are not being twice natt'd. 

Ok so its clear only the NAT is needed.

Yes the current NAT is a PAT for all inside interface addresses to the public IP of the outside interface and this is for internet access. However 10.1.1.1 also accesses the net apart from this VPN, and still needs to.

I need the NAT for the VPN only to take affect if 10.1.1.1 is going to 30.1.1.1 (remote end vpn),  if the source / destination differs then the PAT will take affect.

This should work if I place the VPN NAT above the PAT statement ( by sequence number) correct?

You don't need to worry about sequence numbers with pre 8.3 because the NAT is different.

The static policy NAT should take precedence over your PAT rule anyway.

See the above posts for an example of how to do it and what to reference in your crypto map acls.

Jon

Jon, 

I dont think the policy NAT mentioned below is correct:

"access-list policy-nat extended permit ip <realip/mask of siteA> <Mapped IP of remote end(siteB)> 255.255.255.0

static (inside,outside) <Mapped IP of site A>  access-list policy-nat"

Am not trying to NAT the remote end (site b), site B has IP of 30.3.3.3. 

My local IP is 10.1.1.1 , this IP / subnet already exists on site b network, thus I have to NAT my local IP to another IP (20.2.2.2) which is not used on site B network, before its sent out over the VPN tunnel. 

So essentially, site B will always see / talk to the NAT address of (20.2.2.2) and this is the IP that has to be referenced in their crypto acl as the "interesting traffic"

My problem is how to do this NAT, its essentially a twice NAT on my side.

Can you mark Risabeth's answer as correct as well as he supplied the configuration, I just explained it :-)

Is everything clear now ?

Jon

Hi,

Consider siteA and siteB with overlapping IP subnets then your NAT would looks like:

access-list policy-nat extended permit ip <realip/mask of siteA> <Mapped IP of remote end(siteB)> 255.255.255.0

static (inside,outside) <Mapped IP of site A>  access-list policy-nat

Thanks,

R.Seth

edited - just ignore.

Jon

I dont think this NAT is right, you mention:

"access-list policy-nat extended permit ip <realip/mask of siteA> <Mapped IP of remote end(siteB)> 255.255.255.0

static (inside,outside) <Mapped IP of site A>  access-list policy-nat"

Am not trying to NAT the remote end (site b), site B has IP of 30.3.3.3. 

My local IP is 10.1.1.1 , this IP / subnet already exists on site b network, thus I have to NAT my local IP to another IP (20.2.2.2) which is not used on site B network, before its sent out over the VPN tunnel. 

So essentially, site B will always see / talk to the NAT address of (20.2.2.2) and this is the IP that has to be referenced in their crypto acl as the "interesting traffic"

My problem is how to do this NAT, its essentially a twice NAT on my side.

Risabeth

Apologies for the rather blunt post, just having one of those days :-)

Jon

Risabeth's answer is how to do the NAT.

Your crypto map acl should reference 20.2.2.2 and the other end needs to reference that IP as well.

Jon