05-11-2008 07:58 PM - edited 03-03-2019 09:54 PM
Hi,
Why NAT happens to site-2-site IPsec tunnel?
I configured an IPsec tunnel between site A and Site B. They are pining each other well. Site B has a web server which is open to the public. So it has a stactic NAT configured.
eg. ip nat inside source static tcp 10.10.10.10 80 interface fastethernet0 80
From Site A, http://10.10.10.10/ failed to display the web site.
Then I found nat has happened.
I thought NAT should bypassed when traffic is through the IPsec tunnel. But obviousely it is not.
What can I do to make it both work for external and vpn sites?
Thanks,
Lydia
Solved! Go to Solution.
05-12-2008 06:06 AM
Hi Lydia, you can't use that command when you specify an interface rather than an actual global address.
it would have to look like this:
ip nat inside static 10.10.10.10 (some routable outside address) route-map nonat
05-11-2008 08:44 PM
Hi Lydia, I am sure you created a crypto ACL for your VPN tunnel. typically you would also create a route map to exclude nat from those subnets that you are tunneling. If your crypto ACL says:
access-list 120 permit IP 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255
crypto map VPN 1 ipsec-isakmp
match address 120
Then your route map would deny that traffic.
access-list 102 deny ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255
And you would create a route map to keep it from being NATed like this.
route-map NONAT permit 10
match ip address 102
ip nat inside source route-map NONAT interface Serial0/0
05-11-2008 09:24 PM
Thank you for the prompt reply. I have no issue for vpn site communication to each other or browsing internet.
The only problem is the static NAT for a specific server (10.10.10.10) on a specific port (80).
Can this static NAT be replaced by Route-map?
Cheers,
Lydia
05-11-2008 10:32 PM
Hi,
I've found the solution using static nat with Route-map as show in the link below.
http://www.cisco.com/warp/public/707/static.html
But it looks like my IOS version does not support this command. The document is based on 12.3(14)T. My IOS version is 12.4(6)T9. How come the latest one does not support?
Attached is the screen shots of the error while i was trying to add the route-map nonat in the end of the static nat command.
Can anybody tell me why? Any other solutions?
Thanks,
05-12-2008 06:06 AM
Hi Lydia, you can't use that command when you specify an interface rather than an actual global address.
it would have to look like this:
ip nat inside static 10.10.10.10 (some routable outside address) route-map nonat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide