Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2268
Views
0
Helpful
7
Replies

Site to Site IPSec Tunnel and NAT

Go to solution
Michael_CE
Beginner
Beginner

‎08-31-2020 02:56 AM

Hello all

 

For remote support possibility by a service provider we need to have a Site to Site IPSec Tunnel to them, as this is the only VPN type they offer.

 

This tunnel is working so far.

Now the problem:

Because i can't change the network configuration of the devices in the target network (not configure routes or a default gateway on them), the only solution is to use NAT.

 

This is working fine with a L2TP IPSec "dialin" type of VPN as there I have a interface Virtual-Template1 which i can configure as nat inside.

The target network interface Vlan1 is configured as nat outside.

Then a:

ip nat inside source list ACL-NAT interface Vlan1 overload

With this i have communication to the devices in the target network working perfectly fine if connected through the L2TP IPSec VPN.

 

But with the Site to Site IPSec tunnel there is no interface which I can set as nat inside.

 

Is there any way to use NAT in combination with a Site to Site IPSec tunnel?

 

Thank you in advance.

 

Kind regards

Michael

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ngkin2010
Rising star
Rising star
In response to Michael_CE

‎08-31-2020 08:34 AM - edited ‎08-31-2020 08:38 AM

Hi,

 

Unlike with the L2TP IPSec VPN, with the Site to Site IPSec Tunnel i not get any extra (virtual or tunnel) interface.

It's about the order of operation,  NAT is performed after IPSec decryption. Which mean when the IPSec encapsulated packet arrived on your WAN interface (e.g. GigabitEthernet8), it will first be decrypted (source: 192.168.80.x, destination: 10.20.60.x). Then, it will performed NAT (source: 192.168.80.x -> [overload NAT] 10.20.60.12; destination: 10.20.60.x). 

 

Vice-versa, when the return packet is arrived on LAN interface, NAT is performed before IPSec encryption. which mean the packet (source 10.20.60.x, destination: 10.20.60.12) will translate to (source: 10.20.60.x, destination: 192.168.80.x). According to routing table, it should exit out WAN interface (Gig8). IPSec encryption is then performed if  (source: 10.20.60.x, destination: 192.168.80.x) hit  the crypto map condition. 

 

So, if it's well configured, it should work as expected.  

 

Your configuration look good to me except the interface Gig8.

 

interface GigabitEthernet8
ip address x.x.x.x 255.255.255.248
ip access-group ACLWAN in
duplex auto
speed auto
no cdp enable
crypto map CRYP_MAP
ip nat inside

Do you have 'ip nat inside' configured on Gig8? 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP Master VIP Master
VIP Master

‎08-31-2020 03:09 AM

Hi,

This VPN is on a IOS router? You can NAT overload behind the interface the VPN is established on.

0 Helpful