10-08-2008 02:48 AM - edited 03-03-2019 11:50 PM
Hi,
I have a Cisco 1721 router setup with a nat statement as follows:
ip access-lisct extended acl_nat
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list acl_nat interface Ethernet0 overload
The above works fine. I then added the statements below for a site to site VPN:
ip access-list extended acl_nat2
permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1
ip nat pool nat_pool 192.168.10.1 192.168.10.10 netmask 255.255.255.0
ip nat inside source list acl_nat pool nat_pool
I can now connect to the remote VPN host 10.1.1.1, however, I am no longer able to browse the web. As soon as I remove the 'ip nat inside source list acl_nat pool nat_pool' statement, I am able to browse the web. Should I be able to have the 2 NAT statements above work in conjunction with one another?
Thanks
10-08-2008 04:12 AM
the thing is the pool u were using was using private IP address
for internet u need public IPs from ur ISP
when u used the ip nat inside source list acl_nat interface Ethernet0 overload
this one was using the IP address on the Ethernet0 wiether it is static public or dynamicly assigned from ur ISP which is routeable over internet
by the way
the pool u were useing even if it was public IPs it will allow only 10 connections u need oveloading word to make pating after those IPs finished from the pool
i suggest u to use the first nating which is
ip nat inside source list acl_nat interface Ethernet0 overload
unless u get public IP address from ur ISP
good luck
if helpful Rate
10-08-2008 05:19 AM
Hi,
The first NAT is for internet traffic and the second NAT is for traffic over a site-to-site VPN. This is why I have used private addresses for the second NAT. Also, I only need a few addresses in the pool as only a few people will use it.
I just need both to function simultaneously.
Thanks
10-08-2008 05:24 AM
in the next nat try to use diffent ACL name or number
10-08-2008 06:30 AM
Hello u seem to have created two seperate ACLs but are using only one..
Instead of ip nat inside source list acl_nat pool nat_pool
use
ip nat inside source list acl_nat2 pool nat_pool
10-08-2008 07:54 AM
apologies, that was a typo. I am using acl_nat2 for the second nat. Natting to the nat pool works fine when i configure it, it just stops the internet nat (the first nat) from working.
10-08-2008 08:01 AM
To summarize, this is the config;
!
ip access-list extended acl_nat
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended acl_nat2
permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1
!
ip nat pool nat_pool 192.168.10.1 192.168.10.10 netmask 255.255.255.0
!
ip nat inside source list acl_nat interface Ethernet0 overload
ip nat inside source list acl_nat2 pool nat_pool
...correct me if I'm wrong.
10-08-2008 08:07 AM
that's the correct config. With this config, i can connect to the 10.1.1.1 host using the second nat, but can't browse the web. as soon as I remove the nat statement that uses the pool, i can browse the web.
10-10-2008 05:15 AM
It looks like the problem only occurs when there's an active translation for the nat pool.
This is the output of show ip nat transaltaions:
Pro Inside global Inside local Outside local Outside global
tcp our_external_ip:2178 192.168.1.230:2178 84.53.137.11:80 84.53.137.11:80
tcp our_external_ip:2179 192.168.1.230:2179 84.53.137.11:80 84.53.137.11:80
tcp our_external_ip:2180 192.168.1.230:2180 84.53.137.11:80 84.53.137.11:80
tcp our_external_ip:2181 192.168.1.230:2181 84.53.137.11:80 84.53.137.11:80
--- 192.168.10.1 192.168.1.230 --- ---
10-10-2008 05:45 AM
Check all access-list an then permit all http traffic
10-10-2008 07:30 AM
I thing the last entry in the nat translation table I posted, probably explains why internet traffic stops working. Having done some looking around it looks like, I may be able to get round the problem by using either a route-map.
I've tested the config with a route map, now a translation entry for the site-to-site vpn includes outside local and outside global entries. However, although internet traffic is now working, traffic for the remote VPN is not.
Below is a sample of my config:
route-map rmap_nat permit 1
match ip address acl_nat
route-map rmap_nat2 permit 1
match ip address acl_nat2
ip nat inside source route-map rmap_nat interface ethernet0 overload
ip nat inside source route-map rmap_nat2 pool nat_pool
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: