IPSec NAT Bypass with Static NAT

[candersoncc]

Site A Has a Cisco PIX with Dynamic NAT and a single external IP.

Site B has a Cisco 1811 with 2 Static 1:1 NAT entries, and the rest of the internal hosts on a dynamic NAT sharing an IP.

There is an IPSEC tunnel between the 2 sites which works, except when trying to access hosts that have static NAT mappings at Site B from Site A.

I am pretty sure what is happening is that traffic returning from site B hits the router, and does NOT bypass NAT due to the static entries. For the hosts on dynamic NAT, the following entry (In IOS, Site B) allows them to bypass NAT for IPSEC, matching access list 175 deny statements:

ip nat inside source list 175 interface FastEthernet0 overload

What is the best way to allow bypass of the static NAT entries for IPSEC as well?

I tried this, but it didn't work (with the NAT pool containing all the external IPS)

ip nat source list 175 pool EXTERNAL_IPS

Has anyone else had to do this?

I'll post parts of my config if needed. Any assistance would be appreciated.

 

[candersoncc]

I was able to find a solution after scouring Cisco's website for awhile.

For anyone interested, it goes something like this...

I added an exclusion for the 2 IPs that are being static NATed to the access list that controls dynamic NAT (I probably should have done that anyway).

I then added route-map to the end of the static nat command, and set up a route map that pointed to an access list which denied the ranges I didn't want to NAT:

ip nat inside source static 10.100.1.229 x.x.x.a route-map nonat1 extendable
ip nat inside source static 10.100.1.204 x.x.x.b route-map nonat2 extendable

route-map nonat1 permit 10
match ip address 176

route-map nonat2 permit 10
match ip address 177

Apparently NAT entries are read top-down and follow first match (but are overridden by subsequent matches).