Cisco Router IOS Policy-based NAT for VPN traffic

I thought I would blog on this. It could be useful for someone who might have an IOS router instead of an ASA and need to create a IPSEC Site-to-Site VPN to a remote peer, then NAT VPN traffic to a different address or subnet if needed, or the local subnets conflict with each other.

Here is a nice little Visio to kind of show what I am going for with the traffic:


Because of duplicate subnets on both sides, I need to nat traffic going to from, otherwise traffic should flow normally. How can I achieve conditional nat? By using a route-map and then natting only the traffic in the Route-map. So, lets get our VPN setup first. Remember, we add the NAT network or host IP to our interesting traffic ACL that will be used to define our Phase2

These are my commands:

ip access-list extended VPN-to-Remote
 permit ip host host

crypto isakmp policy 50
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp key … address no-xauth

crypto ipsec transform-set Transform esp-3des esp-sha-hmac

crypto map Crypto 6 ipsec-isakmp
 set peer
 set transform-set Transform
 match address VPN-to-Remote

That pretty much gets the VPN up and going. Now for the interesting part – we need to create a new ACL, match my private address and the destination address of the remote server, then match that ACL in my Route-map.

ip access-list extended Nat-for-VPN
 permit ip host host

route-map VPN-to-REMOTE permit 10
 match ip address Nat-for-VPN

Great! So, we now have the route-map created.. so now what? We need to create a NAT statement that references my Route-Map. Then of course with any VPN we need to modify the “NO-NAT” ACL to include the traffic for both the, and the to my remote destination.

ip nat inside source static route-map VPN-to-HCN extendable

ip access-list extended NO-NAT
 deny   ip host host
 deny   ip host host

Now, if we try to access the remote side, does it work? Yes it does, but lets check to see if our nat is really working. It is! As you can see, going to is being natted into, but all other traffic gets natted out of the WAN interface.


Lets just check for translations of


Bingo, everything works great. Lets make sure that we are getting hits on our Route-Map.



2 responses to “Cisco Router IOS Policy-based NAT for VPN traffic

  1. Ed Inigo April 29, 2016 at 6:19 pm

    Where is the NO-NAT acl applied

    • cjcott01 April 29, 2016 at 6:23 pm

      Hey Ed, thanks for the comment.

      Let me look over and see exactly where in this example. For the most part it will be in your Route-map (you would have deny statements for your internal-remote traffic) or you would deny the traffic in your nat ACL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: