NAT Issue, not routing internet traffic

Unanswered Question
Apr 3rd, 2008

I am connecting a cisco 2801 router running 12.4(3c)to and ASA5520 running 7.2(1) over dsl connection. I am setting up an ipsec tunnel between the two. All traffic I have set up to route over the the tunnel is working just fine, but for the life of me, I cannot get my hosts behind the router to nat to the outside interface and go out the internet. its like all traffic wants to route through the tunnel. Below is a how I have my config on the router set up:

crypto isakmp policy 100

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ******** address [<external firewall ip address>]

!

!

crypto ipsec transform-set L2L esp-3des esp-md5-hmac

!

crypto map whiteplains 100 ipsec-isakmp

set peer [<external firewall ip address>]

set transform-set L2L

match address 140

!

!

!

!

interface FastEthernet0/0

description Outside Interface

ip address 194.50.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map whiteplains

!

interface FastEthernet0/1

no ip address

ip accounting output-packets

ip accounting access-violations

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1.100

description Whiteplains NY Data VLAN

encapsulation dot1Q 100

ip address 10.200.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0/1.200

description Whiteplains NY Voice VLAN

encapsulation dot1Q 200

ip address 10.145.66.1 255.255.255.0

no snmp trap link-status

!

interface Serial0/1/0

no ip address

shutdown

!

interface Serial0/2/0

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 194.50x.x

!

!

ip nat inside source list 130 interface FastEthernet0/0 overload

!

access-list 130 deny ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 130 deny ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log

access-list 130 deny ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 130 deny ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log

access-list 130 permit ip 10.200.7.0 0.0.0.255 any log

access-list 140 permit ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 140 permit ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 140 permit ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log

access-list 140 permit ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log

This is the first time I am terminating a router to the firewall. Up to this point all my connections have been firewall to firewall and I have not run into this issue before. Any assistance would be greatly appreciated. I did try using a route-map and that didnt work for me either

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stogyman_ Fri, 04/04/2008 - 13:34

If I am already telling it to overload to the outside interface, why would I need to set up a nat pool?

Justin Brenton Fri, 04/04/2008 - 13:50

Sorry, didn't notice the overload, but you would need a Nat pool.

3. Configure NAT Pool

This will be a pool of legal Public IPs that is bought by the organisation. This could anything from one to many IP Address

WANRouter(config)# ip nat pool WANPOOL 100.100.100.10 100.100.100.10 netmask 255.255.255.0

http://www.itsyourip.com/cisco/how-to-configure-nat-in-cisco-ios-nat-overload/

Hope this helps, pls rate.

Justin

Actions

This Discussion