There is one tricky issue of IPSEC L2L Tunnel and Static NAT on cisco Router, even the one with IOS v15 (not sure why Cisco can not fix it out of box): if you have site2site vpn and one side running a static NAT mapping to internal host (such as web server). It should just work if the internal web server is accessed via public natted IP address from Internet but the natting router will do tricky thing of the return traffic if it is accessed via private IP through tunnel as router doesnot know where should the return traffic to be sent, to tunnel or just external interface as of the static NAT.
NOTE: There are no “special” configuration of RouterA and IPSEC L2L tunnel. Like the diagram shows, host 192.168.5.10 behind RouterB is running a surveillance camera page which can be accessed on port 80. We would need employee to access the surveillance camera via private IP directly or through VPN tunnel while in office and via public IP while out of office.
Create ACL to match the NAT traffic:
RouterB(config)# ip access-list ext nat-traffic-acl deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
RouterB(config)# ip access-list ext nat-traffic-acl permit ip 192.168.5.0 0.0.0.255 any
Create route-map for dynamic/overloaded NAT:
RouterB(config)# route-map NAT_TRAFFIC permit 1
RouterB(config-route-map)# match ip address nat-traffic-acl
Create dynamic and static NAT:
RouterB(config)# ip nat inside source route-map NAT_TRAFFIC interface GigabitEthernet0/0 overload
RouterB(config)# ip nat inside source static tcp 192.168.5.10 80 184.108.40.206 8000 route-map NO-STATIC-NAT extendable
NOTE: You can not map port 80 for translation if http is enabled on router for management.
Create ACL for traffic should NOT be NATed:
RouterB(config)# ip access-list ext no-static-nat-acl deny ip host 192.168.5.10 192.168.1.0 0.0.0.255
RouterB(config)# ip access-list ext no-static-nat-acl permit ip 192.168.5.0 0.0.0.255 any
Create route-map to by-pass the static nat:
RouterB(config)# route-map NO-STATIC-NAT permit 1
RouterB(config-route-map)# match ip address no-static-nat-acl
So the surveillance camera page can be accessed via “http://192.168.5.10” internally OR “http:220.127.116.11:8000” externally.