Imagine that you have a classic IPSec tunnel and you need to NAT the source address of host in your internal network before the packets from it will be transferred via the tunnel. Moreover, you also have a NAT overload from your internal network for your hosts to have access to the Internet. Ok, here is the example how to configure it on Cisco IOS router.
Define access list for static NAT
Define route map based on this access-list
Enable NAT
Configure access list for encrypted traffic
Configure access list for exception from NAT overload
Configure route map based on this list
Reconfigure NAT overload
- IP address of the host in your internal network - 192.168.1.2
- IP address of the host in remote network - 10.10.0.1
- IP address you need to NAT your internal host to - 172.16.16.1
Define access list for static NAT
ip access-list extended ipsec_nat
permit ip host 192.168.1.2 host 10.10.0.1
Define route map based on this access-list
route-map ipsec_nat permit 10
match ip address ipsec_nat
Enable NAT
ip nat inside source static 192.168.1.2 172.16.16.1 route-map ipsec_nat
Configure access list for encrypted traffic
access-list 151 permit ip host 172.16.16.1 host 10.10.0.1
Configure access list for exception from NAT overload
ip access-list extended nonat
deny ip host 192.168.1.2 host 10.10.0.1
permit ip host 192.168.1.2 any
Configure route map based on this list
route-map nonat permit 10
match ip address nonat
Reconfigure NAT overload
ip nat inside source route-map nonat interface FastEthernet4 overload
