I just ran into this. I have a 2610 that is terminating a tunnel between itself and a pix... but I also have three email servers behind this router that need to be statically nat'd.
Here is the config that this guy from cisco (wicked smart) helped me figure out: hostname Phoenix_Colo crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key *** address 12.x.x.132 ! crypto ipsec transform-set ch2stl esp-3des esp-md5-hmac ! crypto map nolan 10 ipsec-isakmp set peer 12.x.x.132 set transform-set ch2stl match address vpn_tunnel interface Loopback0 ip address 1.1.1.1 255.255.255.252 ! interface Ethernet0/0 ip address 209.x.x.6 255.255.255.252 ip nat outside half-duplex crypto map nolan ! interface Ethernet1/0 ip address 172.16.254.254 255.255.255.0 ip nat inside ip policy route-map static_servers_bypass_NAT ! ip nat inside source static 172.16.254.34 209.145.140.180 ip nat inside source static 172.16.254.35 209.145.140.181 ip nat inside source static 172.16.254.38 209.145.140.182 ! ip access-list extended vpn_tunnel permit ip 172.16.254.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 120 permit ip 172.16.254.0 0.0.0.255 192.168.0.0 0.0.255.255 ! route-map static_servers_bypass_NAT permit 10 match ip address 120 set ip next-hop 1.1.1.2 ! Phoenix_Colo# Reimer, Fred wrote: > You do need NAT traversal if you "only" change the IP addresses. > > Fred Reimer - CCNA > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > NOTICE; This email contains confidential or proprietary information which > may be legally privileged. It is intended only for the named recipient(s). > If an addressing or transmission error has misdirected the email, please > notify the author by replying to this message. If you are not the named > recipient, you are not authorized to use, disclose, distribute, copy, print > or rely on this email, and should immediately delete it from your computer. > > > -----Original Message----- > From: Raj [mailto:[EMAIL PROTECTED] > Sent: Monday, September 08, 2003 11:14 AM > To: [EMAIL PROTECTED] > Subject: IPSEC with STATIC NAT [7:74971] > > Hey There > > I am working on a solution for IPsec using vpn concentrator and VPN hardware > clients(PIX). The PIX outside has a public address and the only NAT taking > place is at the edge router and the vpn concentrator sits behind this > router. The router does a static public-to-private IP nat and i dont think I > would need NAT traversal since it's not changing any ports..only changing > IP's. > > Please let me know if there is anything I would need to do on the edge > router doing the static NAT. I've heard that for STATIC nat to work with > IPSEC, you need to adhere to certain standards. > > Thx to everybody in advance. > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75133&t=74971 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
