Split NATting internet/VPN

Unanswered Question
Feb 26th, 2007

There is an IPSecVPN tunnel between 2 routers. On both sides there are subnets in use, and several are the same. :-(

So there is a need for NATting through the tunnel.

Part of the config:

---

ip nat pool Portugal1 10.35.1.10 10.35.1.254 netmask 255.255.255.0

ip nat pool Portgual2 10.35.2.12 10.35.2.254 netmask 255.255.255.0

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source list 69 pool Portugal1

ip nat inside source list 70 pool Portugal2

ip nat inside source static 172.27.0.2 10.35.2.2

ip nat inside source static 172.27.0.10 10.35.2.10

ip nat inside source static 172.27.0.11 10.35.2.11

ip nat inside source static 10.35.1.1 192.168.0.1

ip nat inside source static 10.35.1.2 192.168.0.2

ip nat inside source static 10.35.1.3 192.168.0.3

ip nat inside source static 10.35.1.4 192.168.0.4

ip nat inside source static 10.35.1.5 192.168.0.5

ip nat inside source static tcp 10.35.3.1 22 213.205.88.132 22 extendable

ip nat inside source static tcp 10.35.3.1 25 213.205.88.132 25 extendable

ip nat inside source static tcp 10.35.3.1 80 213.205.88.132 80 extendable

ip nat inside source static tcp 172.27.0.202 80 213.205.88.132 81 extendable

ip nat inside source static tcp 10.35.3.1 110 213.205.88.132 110 extendable

ip nat inside source static tcp 172.27.0.11 3389 213.205.88.132 3389 extendable

ip nat inside source static tcp 10.35.3.1 10000 213.205.88.132 10000 extendable

!

no logging trap

access-list 2 permit 172.27.0.0 0.0.0.255

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 2 permit 10.35.3.0 0.0.0.255

access-list 120 permit ip 10.35.3.0 0.0.0.255 192.168.205.0 0.0.0.255

access-list 120 permit ip 10.35.1.0 0.0.0.255 192.168.205.0 0.0.0.255

access-list 120 permit ip 10.35.2.0 0.0.0.255 192.168.205.0 0.0.0.255

---

There are 2 NATtings that conflict:

- ip nat inside source list 2 interface Dialer0 overload

and

- ip nat inside source static 172.27.0.2 10.35.2.2

The configuration should be so that when the server (172.27.0.2) tries to connect to the internet, the 1st natting is used and when the server is speaking to a host through the tunnel, the 2nd natting is used.

How can this be done?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 02/26/2007 - 10:54

Hi

You can do this with a route map eg.

access-list 101 permit ip host 172.27.0.2 "remote network" "subnet mask"

access-list 101 deny ip any any

ip nat inside source static 172.27.0.2 10.35.2.2 route-map server_vpn

route-map server-vpn

match ip address 101

I've attached the link to a Cisco doc on using route-maps with static NAT translations.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

HTH

Jon

Actions

This Discussion