Sections

Personal tools

You are here: Home → Networking → Cisco → IOS → Static Network Address Translation (NAT) in the context of a 'crypto map' based IPSec tunnel

Recent Changes: Intel Xeon-D x552/x557 10baseT fails to negiotiate a 10Gb link Aug 20, 2023; Images Aug 11, 2023; X10SDV-8C-TLN4F Aug 11, 2023; CPU Requirement for Rocky Linux v9 (And Redhat Enterprise Linux v9) Feb 24, 2023; Rocky Linux Feb 23, 2023; Images Jul 19, 2022; Rocky Jul 19, 2022; All recent changes…

Navigation

Recent Changes: Intel Xeon-D x552/x557 10baseT fails to negiotiate a 10Gb link Aug 20, 2023; Images Aug 11, 2023; X10SDV-8C-TLN4F Aug 11, 2023; CPU Requirement for Rocky Linux v9 (And Redhat Enterprise Linux v9) Feb 24, 2023; Rocky Linux Feb 23, 2023; Images Jul 19, 2022; Rocky Jul 19, 2022; Runtime tweak of US-16-XG switch trunk for ESXi Apr 12, 2019; Ubiquiti US-16-XG 10GbE switch command line Apr 10, 2019; Flash Intel iSCSI NIC firmware Mar 04, 2019; Add a static route to a Netonix WS-6-MINI switch Nov 17, 2018; Install and configure Dovecot on CentOS 6 as an IMAP server Sep 06, 2018; All recent changes…

Static Network Address Translation (NAT) in the context of a 'crypto map' based IPSec tunnel

How to overcome static NAT entries acting on traffic for IPSec tunnels

When using 'crypto map' based IPSec tunnels, static NAT entries (pinholes) are applied to IPSec tunnel traffic. Most often this is return traffic to the IPSec tunnel.

I found two possible workarounds for this issue:

use a virtual tunnel interface
apply a route-map to the static NAT rule

Using tunnel interfaces has several advantages, however I had difficultly getting them to interoperate with OpenSwan.

Applying a route-map to the static NAT entries is straightforward, with the exception that the format with an interface, rather than an IP address is not supported (IOS 12.4.18 on a 800 platform). Thus this workaround will only work if you have a static address on the outside interface (Dialer 1 in my example)

Procedure

Create an access-list. This should be exactly the same as the main NAT access list. Note: I have named it in the positive, in that the access list describes those addresses which the static NAT entries are to be translated.
Create a route map that matches based on the access list.
Use the 'route-map static-nat' modifier on the static nat entries.

ip access-list extended static-nat
  ! Do not NAT ipsec traffic 
  deny ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.255.255
  !
  ! NAT all other traffic
  permit ip 192.168.0.0 0.0.0.255 any
exit

route-map static-nat
  match ip address static-nat
exit

! ip nat inside source static tcp 192.168.0.1 25 Dialer 1 25 route-map static-nat reversible
ip nat inside source static tcp 192.168.0.1 25 xx.xx.xx.xx 25 route-map static-nat reversible

where

'xx.xx.xx.xx' is the external IP address
192.168.0.0/24 is the internal private network
10.10.0.0./16 is the network at the far end of the IPSec tunnel
192.168.0.1 is the example address for the port 25 pinhole

Note: As described above, the form with an interface (commented out in the example above) is not supported on the 800 platform with IOS 12.4.18.

Sections

Personal tools

Static Network Address Translation (NAT) in the context of a 'crypto map' based IPSec tunnel

Procedure

Links

Document Actions