NAT Issue, not routing internet traffic

stogyman_ · ‎04-03-2008

I am connecting a cisco 2801 router running 12.4(3c)to and ASA5520 running 7.2(1) over dsl connection. I am setting up an ipsec tunnel between the two. All traffic I have set up to route over the the tunnel is working just fine, but for the life of me, I cannot get my hosts behind the router to nat to the outside interface and go out the internet. its like all traffic wants to route through the tunnel. Below is a how I have my config on the router set up:

crypto isakmp policy 100

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ******** address [<external firewall ip address>]

!

crypto ipsec transform-set L2L esp-3des esp-md5-hmac

!

crypto map whiteplains 100 ipsec-isakmp

set peer [<external firewall ip address>]

set transform-set L2L

match address 140

!

interface FastEthernet0/0

description Outside Interface

ip address 194.50.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map whiteplains

!

interface FastEthernet0/1

no ip address

ip accounting output-packets

ip accounting access-violations

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1.100

description Whiteplains NY Data VLAN

encapsulation dot1Q 100

ip address 10.200.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface FastEthernet0/1.200

description Whiteplains NY Voice VLAN

encapsulation dot1Q 200

ip address 10.145.66.1 255.255.255.0

no snmp trap link-status

!

interface Serial0/1/0

no ip address

shutdown

!

interface Serial0/2/0

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 194.50x.x

!

ip nat inside source list 130 interface FastEthernet0/0 overload

!

access-list 130 deny ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 130 deny ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log

access-list 130 deny ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 130 deny ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log

access-list 130 permit ip 10.200.7.0 0.0.0.255 any log

access-list 140 permit ip 10.200.7.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 140 permit ip 10.145.66.0 0.0.0.255 10.172.1.0 0.0.0.255 log

access-list 140 permit ip 10.200.7.0 0.0.0.255 172.29.1.0 0.0.0.255 log

access-list 140 permit ip 10.200.7.0 0.0.0.255 host 206.90.20.128 log

This is the first time I am terminating a router to the firewall. Up to this point all my connections have been firewall to firewall and I have not run into this issue before. Any assistance would be greatly appreciated. I did try using a route-map and that didnt work for me either

Justin Brenton · ‎04-04-2008

Looks like your missing your nat ip address pool.

Example:

ip nat pool no-overload 172.16.10.1 172.16.10.63 prefix 24

!

!--- Defines a NAT pool named no-overload with a range of addresses

!--- 172.16.10.1 - 172.16.10.63.

Configuring NAT

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

HTH, Please rate if so.

Cheers,

Justin

stogyman_ · ‎04-04-2008

If I am already telling it to overload to the outside interface, why would I need to set up a nat pool?

Justin Brenton · ‎04-04-2008

Sorry, didn't notice the overload, but you would need a Nat pool.

3. Configure NAT Pool

This will be a pool of legal Public IPs that is bought by the organisation. This could anything from one to many IP Address

WANRouter(config)# ip nat pool WANPOOL 100.100.100.10 100.100.100.10 netmask 255.255.255.0

http://www.itsyourip.com/cisco/how-to-configure-nat-in-cisco-ios-nat-overload/

Hope this helps, pls rate.

Justin