Tuesday, June 29, 2021

IPsec and Nat on the same interface?

So I'm trying to do sort of a split tunneling idea here on a Cisco 1811.

Basically I have an wireless access point off a switch port of a 1811 router.

The outside interface with a public IP has a site to site vpn back to our core with GRE over ipsec.

I applied a NAT config to the internal svi on the router as the inside and the public interface as Outside.

The IPsec interesting traffic acl shouldn't apply to my WAP traffic as it's on a complete different subnet, and the interesting traffic acl applied to the NAT config should pick it up

Well, it didn't work.

After looking up Cisco's documentation on iOS order of operations I could see why it wouldn't work as Nat is clear down on 14 in priority. But the IPsec acl shouldn't apply to my WAP traffic and it should work right?

https://etherealmind.com/cisco-ios-order-of-operation/?doing_wp_cron=1625010167.1254999637603759765625

Anyways, when I remove the IPsec crypto map, Nat works, leaving me only to the conclusion that Nat and IPsec can't be applied to the same interface.

Or maybe I'm doing something wrong?



No comments:

Post a Comment