Suppose we have a network like this:
Interfaces on the routers:
LAN: FastEthernet0 / 0
WAN-VPN: Serial0 / 0
Based in: 10.1.1.0/24
See B: 10.1.2.0/24
PtP Link: xyzk/30
The two sites communicate via an IPsec VPN tunnels. We are not here to cover the configuration of a VPN with IPsec and ISAKMP, but what if you want to go out on a host of Internet-based via NAT? Cisco IOS process before the rules after those of NAT and VPN, L3 changing the source address of the package with ‘Inside Global Address (xyzk) thus causing the non-match ip source that activates the IPsec tunnel. Now we must configure IOS so that NAT is denied for traffic through the VPN link and instead allowed for the rest. Here the config:
ip nat inside source list NAT-VPN interface Serial0/0 overload
!
ip access-list extended NAT-VPN
deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip host 10.1.0.x any
!