Hello Everyone 

I'm trying to get a setup working in an environment where my Cisco C8200 Router (Which is running IOS XE 17.12 Dublin) sits between two remote sites acting as a VPN hub. See attachment where I show the scenario in detail(real ip addresses hidden).

We have a customer who wants to access the partner's LAN network. The partner only peers in accordance with my company's regulations.

However, our end customer already has a route to one of their HQs within the same subnet that our partner does, as in this case it would cause a conflict if the Customer's traffic tried to reach our Partner LAN.

We are trying to perform NAT between these two remote ends. Where for example we want to translate partners addresses from 10.1.1.0/24 to 10.2.2.0/24 and send that subnet to Customer1.

But in a lab, we can't get this bidirectional NAT traffic..can anyone enlighten me?

Currently we don't have access to neither Partner Router nor Customer1 Firewall.

See configuration below:

 PARTNER ==> MYROUTER

ip access-list extended POLICY_S2S_MYROUTER
10 permit ip 10.1.1.0 0.0.0.255 172.16.0.0 0.0.0.255

crypto ikev2 proposal MYROUTER
encryption aes-cbc-128
integrity sha256
group 5

crypto ikev2 policy POL-MYROUTER
proposal MYROUTER

crypto ikev2 keyring PSK_MYROUTER
peer VPN_MYROUTER
address 2.2.2.2
pre-shared-key partner123

crypto ikev2 profile SA_PHASE1_MYROUTER
match identity remote address 2.2.2.2 255.255.255.255
identity local address 1.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local PSK_MYROUTER
lifetime 28800
!
!
!
crypto ipsec transform-set PHASE2_IPSEC_MYROUTER esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map MAP_VPN 10 ipsec-isakmp
description MAP_VPN_S2S_MYROUTER
set peer 2.2.2.2
set transform-set PHASE2_IPSEC_MYROUTER
set ikev2-profile SA_PHASE1_MYROUTER
match address POLICY_S2S_MYROUTER
!
!
interface G0/0
crypto map MAP_VPN

MYROUTER ==> PARTNER

ip access-list extended POLICY_S2S_PARTNER
10 permit ip 172.16.0.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto ikev2 proposal PARTNER
encryption aes-cbc-128
integrity sha256
group 5

crypto ikev2 policy POL-PARTNER
proposal PARTNER

crypto ikev2 keyring PSK_PARTNER
peer VPN_PARTNER
address 1.1.1.1
pre-shared-key partner123

crypto ikev2 profile SA_PHASE1_PARTNER
match identity remote address 1.1.1.1 255.255.255.255
identity local address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local PSK_PARTNER
lifetime 28800
!
!
!
crypto ipsec transform-set PHASE2_IPSEC_PARTNER esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map MAP_VPN 10 ipsec-isakmp
description MAP_VPN_S2S_PARTNER
set peer 1.1.1.1
set transform-set PHASE2_IPSEC_PARTNER
set ikev2-profile SA_PHASE1_PARTNER
match address POLICY_S2S_PARTNER
!
!
interface G0/0
crypto map MAP_VPN

MYROUTER ==> CUSTOMER 1

ip access-list extended POLICY_S2S_CUSTOMER1
10 permit ip 10.2.2.0 0.0.0.255 172.16.0.0 0.0.0.255

crypto ikev2 proposal CUSTOMER1
encryption aes-cbc-128
integrity sha256
group 5

crypto ikev2 policy POL-CUSTOMER1
proposal CUSTOMER1

crypto ikev2 keyring PSK_CUSTOMER1
peer VPN_CUSTOMER1
address 3.3.3.3
pre-shared-key customer123

crypto ikev2 profile SA_PHASE1_CUSTOMER1
match identity remote address 3.3.3.3 255.255.255.255
identity local address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local PSK_CUSTOMER1
lifetime 28800
!
!
!
crypto ipsec transform-set PHASE2_IPSEC_CUSTOMER1 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map MAP_VPN 20 ipsec-isakmp
description MAP_VPN_S2S_CUSTOMER1
set peer 3.3.3.3
set transform-set PHASE2_IPSEC_CUSTOMER1
set ikev2-profile SA_PHASE1_CUSTOMER1
match address POLICY_S2S_CUSTOMER1
!
!

NAT RULE CREATED ON MYROUTER | ATTEMPT TO NAT THE PARTNER TRAFFIC TO CUSTOMER1 IN A 1:1 NAT

!
interface Loopback0
ip address 10.2.2.2 255.255.255.255
ip nat outside

!

ip nat inside source static 10.1.1.2 10.2.2.2
ip nat inside source static 10.1.1.3 10.2.2.3

.......

With this configuration, only the CUSTOMER => MYROUTER -> PARTNER traffic can be NATed but the "Inside" traffic from PARTNER doesn't go through process.

I understand in order the NAT to be perform then a policy needs to be matched either inside and outside..but i was unable to figured out a way to NAT PARTNER => MYROUTER => CUSTOMER in both ways.

PS: MYROUTER only has one Internet uplink with a public IPv4 facing internet.

 CUSTOMER 1  ==> MYROUTER

ip access-list extended POLICY_S2S_MYROUTER
10 permit ip 172.16.0.0 0.0.0.255 10.2.2.0 0.0.0.255

crypto ikev2 proposal MYROUTER
encryption aes-cbc-128
integrity sha256
group 5

crypto ikev2 policy POL-MYROUTER
proposal MYROUTER

crypto ikev2 keyring PSK_MYROUTER
peer VPN_MYROUTER
address 2.2.2.2
pre-shared-key customer123

crypto ikev2 profile SA_PHASE1_MYROUTER
match identity remote address 2.2.2.2 255.255.255.255
identity local address 3.3.3.3
authentication remote pre-share
authentication local pre-share
keyring local PSK_MYROUTER
lifetime 28800
!
!
!
crypto ipsec transform-set PHASE2_IPSEC_MYROUTER esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map MAP_VPN 10 ipsec-isakmp
description MAP_VPN_S2S_MYROUTER
set peer 2.2.2.2
set transform-set PHASE2_IPSEC_MYROUTER
set ikev2-profile SA_PHASE1_MYROUTER
match address POLICY_S2S_MYROUTER
!
!
interface G0/0
crypto map MAP_VPN

Best Regards