11-11-2020 12:09 PM
Hi Folks, I need to configure a VPN tunnel from my CSR in such a way that I will have to PAT all interesting traffic to the outside interface ip. So lets say my Interesting Traffic ACL is src: my-local-subnet to dest: some-hosts-on-the-cust-side. I will then have to PAT it. Command is -
ip nat inside source list INTERESTING-TRAFFIC-ACL interface gig1 overload extended
This is due to the Customer requirement to only allow 1 ip in the interesting ACL on their side and not get into overlapping subnet problems. Now the thing that is puzzling me is that, the interesting Traffic ACL is not matching on both the ends. How will the tunnel come up?
Thoughts?
Solved! Go to Solution.
11-11-2020 12:29 PM
If you are natting behind the outside interface you don't need another nat rule, the nat rule in your first post would achieve the desired result. You'd just need the crypto ACL to reference the source as the outside interface ip address rather than the real IP address.
11-11-2020 12:14 PM
The crypto ACL that defines the interesting traffic will need have the NAT IP address defined instead of the real IP address.
HTH
11-11-2020 12:22 PM
Thnx. So in that case I will need 2 ACLs, one for the crypto and the other with real src-subnets that will be referred in the NAT statement? In other words -
CRYPTO-ACL: src: outside-intf-ip, dst: cust-hosts -----> Interesting Traffic ACL, will be matched/reversed on the Cust side.
OTHER-ACL: src: local-subnet, dst: cust-hosts ----> Will be used in the NAT statement as above.
11-11-2020 12:29 PM
If you are natting behind the outside interface you don't need another nat rule, the nat rule in your first post would achieve the desired result. You'd just need the crypto ACL to reference the source as the outside interface ip address rather than the real IP address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide