It is a neat trick. Here's the config on CCO: pad http://www.cisco.com/warp/public/707/static.html
See also the Networkers 2000 presentation 2402 for an explanation. > -----Original Message----- > From: bk [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 09, 2003 6:26 PM > To: [EMAIL PROTECTED] > Subject: Re: IPSEC with STATIC NAT [7:74971] > > > I just ran into this. I have a 2610 that is terminating a tunnel > between itself and a pix... but I also have three email > servers behind > this router that need to be statically nat'd. > > Here is the config that this guy from cisco (wicked smart) helped me > figure out: > > > hostname Phoenix_Colo > crypto isakmp policy 10 > hash md5 > authentication pre-share > crypto isakmp key *** address 12.x.x.132 > ! > crypto ipsec transform-set ch2stl esp-3des esp-md5-hmac > ! > crypto map nolan 10 ipsec-isakmp > set peer 12.x.x.132 > set transform-set ch2stl > match address vpn_tunnel > > interface Loopback0 > ip address 1.1.1.1 255.255.255.252 > ! > interface Ethernet0/0 > ip address 209.x.x.6 255.255.255.252 > ip nat outside > half-duplex > crypto map nolan > ! > interface Ethernet1/0 > ip address 172.16.254.254 255.255.255.0 > ip nat inside > ip policy route-map static_servers_bypass_NAT > > ! > ip nat inside source static 172.16.254.34 209.145.140.180 > ip nat inside source static 172.16.254.35 209.145.140.181 > ip nat inside source static 172.16.254.38 209.145.140.182 > ! > ip access-list extended vpn_tunnel > permit ip 172.16.254.0 0.0.0.255 192.168.0.0 0.0.255.255 > access-list 120 permit ip 172.16.254.0 0.0.0.255 192.168.0.0 > 0.0.255.255 > ! > route-map static_servers_bypass_NAT permit 10 > match ip address 120 > set ip next-hop 1.1.1.2 > ! > > Phoenix_Colo# > > Reimer, Fred wrote: > > You do need NAT traversal if you "only" change the IP addresses. > > > > Fred Reimer - CCNA > > > > > > Eclipsys Corporation, 200 Ashford Center North, Atlanta, GA 30338 > > Phone: 404-847-5177 Cell: 770-490-3071 Pager: 888-260-2050 > > > > > > NOTICE; This email contains confidential or proprietary > information which > > may be legally privileged. It is intended only for the > named recipient(s). > > If an addressing or transmission error has misdirected the > email, please > > notify the author by replying to this message. If you are > not the named > > recipient, you are not authorized to use, disclose, > distribute, copy, print > > or rely on this email, and should immediately delete it > from your computer. > > > > > > -----Original Message----- > > From: Raj [mailto:[EMAIL PROTECTED] > > Sent: Monday, September 08, 2003 11:14 AM > > To: [EMAIL PROTECTED] > > Subject: IPSEC with STATIC NAT [7:74971] > > > > Hey There > > > > I am working on a solution for IPsec using vpn concentrator and VPN > hardware > > clients(PIX). The PIX outside has a public address and the > only NAT taking > > place is at the edge router and the vpn concentrator sits > behind this > > router. The router does a static public-to-private IP nat > and i dont think > I > > would need NAT traversal since it's not changing any > ports..only changing > > IP's. > > > > Please let me know if there is anything I would need to do > on the edge > > router doing the static NAT. I've heard that for STATIC nat > to work with > > IPSEC, you need to adhere to certain standards. > > > > Thx to everybody in advance. > > **Please support GroupStudy by purchasing from the GroupStudy Store: > > http://shop.groupstudy.com > > FAQ, list archives, and subscription info: > > http://www.groupstudy.com/list/cisco.html > > **Please support GroupStudy by purchasing from the GroupStudy Store: > > http://shop.groupstudy.com > > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html > **Please support GroupStudy by purchasing from the GroupStudy Store: > http://shop.groupstudy.com > FAQ, list archives, and subscription info: > http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75144&t=74971 -------------------------------------------------- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html