I have a strange issue. I use a Cisco 2811 router with dual ISP for failover.
ip nat inside source static tcp 192.168.1.2 110 interface FastEthernet0/0 110
ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.1.2 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 192.168.1.2 3390 interface FastEthernet0/0 3390
Everyone can access the server 192.168.1.3 from outside using the PUblic IP address but when people VPN in and try to access 192.168.1.3 using the private IP address, it doesn't work. Here's the NAT ACL
ip access-list extended NATACL
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
192.168.2.0 is the VPN POOL address.
Any help on this would be really appreciated.
Using route map with static NAT translations feature was introduced in 12.2(4)T .
There is one more way to bypass static NAT which was used before the route-map feature but here you need to create a loopback interface.
1. create a loopback interface
ip address 10.254.254.253 255.255.255.252
2. Create a access list statement where you permit Ipsec traffic
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
3. Create a Route Map and route the Ipsec traffic towards loopback interface.
route-map nonat permit 10
match ip address 199
set ip next-hop 10.254.254.254
4. Apply Route-map on the inside interface of the router, where you have "ip nat inside" applied also.
ip nat inside
ip policy route-map nonat
Clear Nat translations: clear ip nat trans *
And then check .
Pls rate helpful posts.