cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
0
Helpful
1
Replies

Split NATting internet/VPN

johanhofmans
Level 1
Level 1

There is an IPSecVPN tunnel between 2 routers. On both sides there are subnets in use, and several are the same. :-(

So there is a need for NATting through the tunnel.

Part of the config:

---

ip nat pool Portugal1 10.35.1.10 10.35.1.254 netmask 255.255.255.0

ip nat pool Portgual2 10.35.2.12 10.35.2.254 netmask 255.255.255.0

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source list 69 pool Portugal1

ip nat inside source list 70 pool Portugal2

ip nat inside source static 172.27.0.2 10.35.2.2

ip nat inside source static 172.27.0.10 10.35.2.10

ip nat inside source static 172.27.0.11 10.35.2.11

ip nat inside source static 10.35.1.1 192.168.0.1

ip nat inside source static 10.35.1.2 192.168.0.2

ip nat inside source static 10.35.1.3 192.168.0.3

ip nat inside source static 10.35.1.4 192.168.0.4

ip nat inside source static 10.35.1.5 192.168.0.5

ip nat inside source static tcp 10.35.3.1 22 213.205.88.132 22 extendable

ip nat inside source static tcp 10.35.3.1 25 213.205.88.132 25 extendable

ip nat inside source static tcp 10.35.3.1 80 213.205.88.132 80 extendable

ip nat inside source static tcp 172.27.0.202 80 213.205.88.132 81 extendable

ip nat inside source static tcp 10.35.3.1 110 213.205.88.132 110 extendable

ip nat inside source static tcp 172.27.0.11 3389 213.205.88.132 3389 extendable

ip nat inside source static tcp 10.35.3.1 10000 213.205.88.132 10000 extendable

!

no logging trap

access-list 2 permit 172.27.0.0 0.0.0.255

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 2 permit 10.35.3.0 0.0.0.255

access-list 120 permit ip 10.35.3.0 0.0.0.255 192.168.205.0 0.0.0.255

access-list 120 permit ip 10.35.1.0 0.0.0.255 192.168.205.0 0.0.0.255

access-list 120 permit ip 10.35.2.0 0.0.0.255 192.168.205.0 0.0.0.255

---

There are 2 NATtings that conflict:

- ip nat inside source list 2 interface Dialer0 overload

and

- ip nat inside source static 172.27.0.2 10.35.2.2

The configuration should be so that when the server (172.27.0.2) tries to connect to the internet, the 1st natting is used and when the server is speaking to a host through the tunnel, the 2nd natting is used.

How can this be done?

Thanks!

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

Hi

You can do this with a route map eg.

access-list 101 permit ip host 172.27.0.2 "remote network" "subnet mask"

access-list 101 deny ip any any

ip nat inside source static 172.27.0.2 10.35.2.2 route-map server_vpn

route-map server-vpn

match ip address 101

I've attached the link to a Cisco doc on using route-maps with static NAT translations.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco