04-03-2008 09:06 PM - edited 03-05-2019 10:11 PM
I am connecting a cisco 2801 router running 12.4(3c)to and ASA5520 running 7.2(1) over dsl connection. I am setting up an ipsec tunnel between the two. All traffic I have set up to route over the the tunnel is working just fine, but for the life of me, I cannot get my hosts behind the router to nat to the outside interface and go out the internet. its like all traffic wants to route through the tunnel. Below is a how I have my config on the router set up:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******** address [<external firewall ip address>]
!
!
crypto ipsec transform-set L2L esp-3des esp-md5-hmac
!
crypto map whiteplains 100 ipsec-isakmp
set peer [<external firewall ip address>]
set transform-set L2L
match address 140
!
!
!
!
interface FastEthernet0/0
description Outside Interface
ip address 194.50.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map whiteplains
!
interface FastEthernet0/1
no ip address
ip accounting output-packets
ip accounting access-violations
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1.100
description Whiteplains NY Data VLAN
encapsulation dot1Q 100
ip address 10.200.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/1.200
description Whiteplains NY Voice VLAN
encapsulation dot1Q 200
ip address 10.145.66.1 255.255.255.0
no snmp trap link-status
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/2/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 194.50x.x
!
!
ip nat inside source list 130 interface FastEthernet0/0 overload
!
access-list 130 deny ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 130 deny ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log
access-list 130 deny ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 130 deny ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log
access-list 130 permit ip 10.200.7.0 0.0.0.255 any log
access-list 140 permit ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 140 permit ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 140 permit ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log
access-list 140 permit ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log
This is the first time I am terminating a router to the firewall. Up to this point all my connections have been firewall to firewall and I have not run into this issue before. Any assistance would be greatly appreciated. I did try using a route-map and that didnt work for me either
04-04-2008 08:38 AM
Looks like your missing your nat ip address pool.
Example:
ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24
!
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 172.16.10.1 - 172.16.10.63.
Configuring NAT
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
HTH, Please rate if so.
Cheers,
Justin
04-04-2008 01:34 PM
If I am already telling it to overload to the outside interface, why would I need to set up a nat pool?
04-04-2008 01:50 PM
Sorry, didn't notice the overload, but you would need a Nat pool.
3. Configure NAT Pool
This will be a pool of legal Public IPs that is bought by the organisation. This could anything from one to many IP Address
WANRouter(config)# ip nat pool WANPOOL 100.100.100.10 100.100.100.10 netmask 255.255.255.0
http://www.itsyourip.com/cisco/how-to-configure-nat-in-cisco-ios-nat-overload/
Hope this helps, pls rate.
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide