Question : vpn requirement from a partner

Hi there,
I have a Cisco router that am using to connect IPSec tunnels with different partners. Note that am not using NAT. There is just a public I.P and a private WAN I.P on the router. It's working fine with other ipsec peers.

There is now a requirement from a partner who are using VPN concentrator at their end. They are saying that if we are to VPN with them, we need to NAT all our VPN clients (or interesting traffic); NAT it to our public I.P and then send it across. In other words, they are suggesting that NAtting is must use at our end.
From my understanding, even if Natting is to be used then we exempt those hosts from getting Natted who want to use the VPN. Since NAT will kick in before the crypto map statement on the outside interface does, my host in the LAN won't be able to reach the other end. I just tested this scenario in my emulator GNS3 where the only way I was able to get the selected hosts (in my interesting traffic ACL) to use VPN was to deny them from being Natted.

But the requirement given here from partner is totally opposite. i.e. To NAT all VPN traffic (or interesting traffic) that is to be sent through to their private network. I don't quite understand this. Is this something to do with VPN concentrator ? Can you please explain ! Thanks !

Answer : vpn requirement from a partner

no one does natting closing their eyes, there must be a purpose why they have asked you to nat. The only reason being possible is your lan range is colliding with their existing. So they want you to nat so that the ip ranges won't clash.

FYI, it's not mandatory to use nat in your end, they can also nat and throw traffic at your end, in which case you won't be required to do anything.

This nat should not be confused with your second point. Of course you have to deny in the global nat, as usual but again have to add your exisiting hosts which requires access to vpn to nat over before the ipsec tunnel could be established and you define your vpn acl with the natted IP.

e.g if ur lan machines 192.168.1.x/24 range need access first deny them in the global nat and then put static maps with 172.16.1.x ranges and then define your vpn acl with 172.16.1.x Ip range.

so vpn concentrator would see the traffic coming from 172.16.1.x range and not ur actual 192.168.1.x range.