I am having some trouble with NAT on an 1811 router. I have an EasyVPN setup which works fine except that I cannot connect to any hosts that have a static NAT mapping. I can however connect to any hosts that do not have static NAT mapping. I have done a tcpdump on these connections and it appears that If I ping, or try to establish any other type of connection to the internal IP address of the Static NAT host, the client receives a response from the external IP Address of that host instead of the internal IP Address.
This actually seems to be the intended behavior. The dynamic NAT statement has an ACL setup on it that restricts INTERNAL<->INTERNAL traffic from being subject to NAT. This ACL is configured to restrict any 172.16/12 to 172.16/12 traffic from NAT However that ACL is not applied to the static NAT mappings, and thus all packets even if they are destined for a Easy VPN user. This works fine however for users at remote sites as they are connected with a DMVPN and packet's are simply routed across the Multipoint GRE tunnel.
I have found a sample configuration to resolve this issue on the Cisco Site: http://www.cisco.com/warp/public/707/static.html#topic2 I have started to configure the router with this setup for a Static NAT host however I noticed that when I apply the Route-Map to the Static Nat statement, regardless of the ACL, all Internal->External traffic does not have the Static NAT mapping applied to it, rather the dynamic NAT mapping is used instead. The mapping still works for External->Internal traffic and all Internet users can access the services on that host. Here is a quick sample configuration with an ACL that should in theory according to the sample allow the Static NAT mapping to be applied to all traffic.
ip nat inside source static 172.17.11.203 xx.xx.247.228 route-map nonat
access-list 150 permit ip any any
route-map nonat permit 10
match ip address 150
While this would fix the initial problem of being able to access Static NAT host's from the Easy VPN connection and Internet user's can access them as well, it causes Internal->External connections to have a different source IP address as viewed from the Internet. This can cause problems for example if this is a Mail server. User's on the VPN and the Internet can send and receive email, however any SMTP connections to the outside world originating from the internal mail server would have an IP address that no longer matches what other mail servers think it should have due to a reverse lookup and causes some Spam filters to reject the mail.
I am considering switching over the configuration to use an NVI to solve some other NAT related problems I'm running into, specifically, user's on any subnet that is defined as a "nat inside" network cannot access any statically NAT'ed hosts by the external IP address of those hosts. This comes into play when building up a wireless Guest network. I want to restrict access to all internal host's and provide a view of the internet the same as anyone outside our physical building would see it. However, I would still like to permit them to access all of our external services, i.e. Mail, Web, etc. The way I am getting around this at the moment is to permit access with an ACL however it becomes cumbersome to have to keep track of what services are running on what machine as well as serving up an internal DNS view so that IP addresses of the machines resolve properly. Would switching to using NVI help allow access to the static NAT hosts from a VPN connection? My impression is no as per the documentation I found on the web because route-map's are not supported with NVI's.
What would be the appropriate way to solve these problems? How do I go about allowing access to hosts that have Static NAT translations to VPN users?