Solved: L2L VTI VPN goes down after NAT

asaditian · ‎11-20-2023

1. ACL on ISP G0/1 permits only 61.1.1.1
2.SA between R1 and R2 is fine and everything works fine, LAN to LAN is reachable.

NOW

I need to access 8.8.8.8, for which I need to nat my LAN ip 192.168.1.1 to 61.1.1.1 and I configure NAT on the R1 and tunnel interface goes down, I know nat is the culprit here but I can't comprehend.

Please help and explain

TiA

NAT Configuration on R1

ip nat inside source static 192.168.1.1 61.1.1.1
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
ip nat inside

interface GigabitEthernet0/0
ip address 61.1.1.1 255.255.255.0
ip nat outside

Rob Ingram · ‎11-20-2023

@asaditian the tunnel drops because you've created a static NAT, which translated the outside interface IP address to loopback1 interface, which is not configured for the VPN.

You need to create dynamic PAT. Configure an extended ACL, first line will deny traffic from your local LAN network (loopback1?) and the remote VPN networks - this ensures the VPN traffic is not unintentially translated. The next ACE in the ACL permits which traffic to translate, traffic from local LAN network to any. Then create the NAT rule which references the ACL list and overloads traffic behind Gi0/0.

View solution in original post

Rob Ingram · ‎11-20-2023

@asaditian the tunnel drops because you've created a static NAT, which translated the outside interface IP address to loopback1 interface, which is not configured for the VPN.

You need to create dynamic PAT. Configure an extended ACL, first line will deny traffic from your local LAN network (loopback1?) and the remote VPN networks - this ensures the VPN traffic is not unintentially translated. The next ACE in the ACL permits which traffic to translate, traffic from local LAN network to any. Then create the NAT rule which references the ACL list and overloads traffic behind Gi0/0.

asaditian · ‎11-21-2023

Thanks Rob, figured this as well. following is the edited NAT config and output

Thanks again.