Thursday, June 20, 2013

Cisco Router: How To 'NAT' Site-To-Site VPN Traffic On A Cisco IOS Router

I got an email from a fellow IT guy inquiring about NAT'ing VPN traffic on a Cisco router.  He referenced a post that I had back in 2011, but I realized that post was for an ASA after we started talking.  So, I thought I should post how you would do this on a Cisco router.  Thanks J for asking me to do this.  I should have done this sooner.  Here is the configuration side for the router with notes to explain what is going on in the config below.  Also, just note that on ACLs, I tend to use numbers.  Use what you like.  Also, name your route-map what you like as well.  It makes no difference.

Phase I config:
crypto isakmp policy 10
 encryption aes
 hash md5
 authentication pre-share
 group 2

Set your peer and VPN pre-shared key.  Use 'no-xauth' so that the site-to-site VPN doesnt have to 'login':
crypto isakmp key PASSKEY address no-xauth
crypto isakmp keepalive 20 3 periodic

Phase II config.  Transform-set is called 'to_remote':
crypto ipsec transform-set to_remote esp-aes 256 esp-sha-hmac

Configure the NAT.  Source address range of and destinations of and 76.0:
access-list 133 permit ip
access-list 133 permit ip

Create a route-map called 'static-vpn' and match traffic to ACL 133:
route-map static-vpn
  match ip address 133

Create a NAT-POOL for the public IP address (or range) you want to use to NAT to.  In this case, Im NAT'ing to
ip nat pool NAT-POOL netmask

Create a NAT rule to use the route-map 'static-vpn'.  Upon a match to ACL 133, NAT that traffic to one of the NAT-POOL addresses (
ip nat inside source route-map static-vpn pool NAT-POOL Overload

Once you have configured the NAT you need to modify the interesting traffic.  You need your 'interesting traffic'  ACL 121 to look like this below. is the IP address you are NAT'ing to:
access-list 121 permit ip host
access-list 121 permit ip host

Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map to_clearwinds 5 ipsec-isakmp
 set peer
 set transform-set to_remote
 match address 121
 qos pre-classify

Apply the crypto map to the public interface and tell the public interface that its part in NAT is on the public side:
interface GigabitEthernet0/0
 ip address 12.X.X.186
 ip nat outside
crypto map to_remote

Tell the inside interface that its part in NAT is the internal side:
interface GigabitEthernet0/1
 ip address
 ip nat inside

1 comment:

  1. Hi, thank you for your article, it is very understandable
    I have a similar scenario, but with two nat
    ip nat pool NAT-VPN netmask
    ip nat inside source list ACL-NAT-VPN-VPN NAT overload pool
    ip nat inside source list FastEthernet4 interface NAT overload

    This is possible ?


Your comment will be reviewed for approval. Thank you for submitting your comments.