Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
4
Replies

NAT and IPsec site-to-site

Go to solution
yayasolenet
Level 1
Level 1

‎05-11-2008 07:58 PM - edited ‎03-03-2019 09:54 PM

Hi,

Why NAT happens to site-2-site IPsec tunnel?

I configured an IPsec tunnel between site A and Site B. They are pining each other well. Site B has a web server which is open to the public. So it has a stactic NAT configured.

eg. ip nat inside source static tcp 10.10.10.10 80 interface fastethernet0 80

From Site A, http://10.10.10.10/ failed to display the web site.

Then I found nat has happened.

I thought NAT should bypassed when traffic is through the IPsec tunnel. But obviousely it is not.

What can I do to make it both work for external and vpn sites?

Thanks,

Lydia

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
izackvail
Level 1
Level 1
In response to yayasolenet

‎05-12-2008 06:06 AM

Hi Lydia, you can't use that command when you specify an interface rather than an actual global address.

it would have to look like this:

ip nat inside static 10.10.10.10 (some routable outside address) route-map nonat

View solution in original post

0 Helpful
4 Replies 4

Go to solution
izackvail
Level 1
Level 1

‎05-11-2008 08:44 PM

Hi Lydia, I am sure you created a crypto ACL for your VPN tunnel. typically you would also create a route map to exclude nat from those subnets that you are tunneling. If your crypto ACL says:

access-list 120 permit IP 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255

crypto map VPN 1 ipsec-isakmp

match address 120

Then your route map would deny that traffic.

access-list 102 deny ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255

And you would create a route map to keep it from being NATed like this.

route-map NONAT permit 10

match ip address 102

ip nat inside source route-map NONAT interface Serial0/0

0 Helpful

Go to solution
yayasolenet
Level 1
Level 1
In response to izackvail

‎05-11-2008 09:24 PM

Thank you for the prompt reply. I have no issue for vpn site communication to each other or browsing internet.

The only problem is the static NAT for a specific server (10.10.10.10) on a specific port (80).

Can this static NAT be replaced by Route-map?

Cheers,

Lydia

0 Helpful

Go to solution
yayasolenet
Level 1
Level 1
In response to yayasolenet

‎05-11-2008 10:32 PM

Hi,

I've found the solution using static nat with Route-map as show in the link below.

http://www.cisco.com/warp/public/707/static.html

But it looks like my IOS version does not support this command. The document is based on 12.3(14)T. My IOS version is 12.4(6)T9. How come the latest one does not support?

Attached is the screen shots of the error while i was trying to add the route-map nonat in the end of the static nat command.

Can anybody tell me why? Any other solutions?

Thanks,

Preview file
63 KB
0 Helpful

Go to solution
izackvail
Level 1
Level 1
In response to yayasolenet

‎05-12-2008 06:06 AM

Hi Lydia, you can't use that command when you specify an interface rather than an actual global address.

it would have to look like this:

ip nat inside static 10.10.10.10 (some routable outside address) route-map nonat

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card