04-03-2008 09:06 PM - edited 03-05-2019 10:11 PM
I am connecting a cisco 2801 router running 12.4(3c)to and ASA5520 running 7.2(1) over dsl connection. I am setting up an ipsec tunnel between the two. All traffic I have set up to route over the the tunnel is working just fine, but for the life of me, I cannot get my hosts behind the router to nat to the outside interface and go out the internet. its like all traffic wants to route through the tunnel. Below is a how I have my config on the router set up:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******** address [<external firewall ip address>]
!
!
crypto ipsec transform-set L2L esp-3des esp-md5-hmac
!
crypto map whiteplains 100 ipsec-isakmp
set peer [<external firewall ip address>]
set transform-set L2L
match address 140
!
!
!
!
interface FastEthernet0/0
description Outside Interface
ip address 194.50.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map whiteplains
!
interface FastEthernet0/1
no ip address
ip accounting output-packets
ip accounting access-violations
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1.100
description Whiteplains NY Data VLAN
encapsulation dot1Q 100
ip address 10.200.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/1.200
description Whiteplains NY Voice VLAN
encapsulation dot1Q 200
ip address 10.145.66.1 255.255.255.0
no snmp trap link-status
!
interface Serial0/1/0
no ip address
shutdown
!
interface Serial0/2/0
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 194.50x.x
!
!
ip nat inside source list 130 interface FastEthernet0/0 overload
!
access-list 130 deny ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 130 deny ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log
access-list 130 deny ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 130 deny ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log
access-list 130 permit ip 10.200.7.0 0.0.0.255 any log
access-list 140 permit ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 140 permit ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log
access-list 140 permit ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log
access-list 140 permit ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log
This is the first time I am terminating a router to the firewall. Up to this point all my connections have been firewall to firewall and I have not run into this issue before. Any assistance would be greatly appreciated. I did try using a route-map and that didnt work for me either
04-04-2008 08:38 AM
Looks like your missing your nat ip address pool.
Example:
ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24
!
!--- Defines a NAT pool named no-overload with a range of addresses
!--- 172.16.10.1 - 172.16.10.63.
Configuring NAT
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
HTH, Please rate if so.
Cheers,
Justin
04-04-2008 01:34 PM
If I am already telling it to overload to the outside interface, why would I need to set up a nat pool?
04-04-2008 01:50 PM
Sorry, didn't notice the overload, but you would need a Nat pool.
3. Configure NAT Pool
This will be a pool of legal Public IPs that is bought by the organisation. This could anything from one to many IP Address
WANRouter(config)# ip nat pool WANPOOL 100.100.100.10 100.100.100.10 netmask 255.255.255.0
http://www.itsyourip.com/cisco/how-to-configure-nat-in-cisco-ios-nat-overload/
Hope this helps, pls rate.
Justin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: