Unanswered Question
Oct 10th, 2008
User Badges:


I have the config below on my router. I would like to PAT users to the outside interface for internet traffic and NAT them to a nat pool for a site-to-site VPN. When I add the second nat statement for the NAT pool, the internet nat stops working, however, the second nat works.

Can anyone tell me the the config below should work?


interface e0

desc outside

ip nat outside

interface e1

desc inside

ip nat inside

ip access-list extended acl_nat

deny ip

permit ip any


ip access-list extended acl_nat2

permit ip host


ip nat pool nat_pool netmask


ip nat inside source list acl_nat interface Ethernet0 overload

ip nat inside source list acl_nat2 pool nat_pool

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
alraycisco Fri, 10/10/2008 - 05:14
User Badges:

It looks like the problem only occurs when there's an active translation for the nat pool.

This is the output of show ip nat transaltaions:

Pro Inside global Inside local Outside local Outside global

tcp our_external_ip:2178

tcp our_external_ip:2179

tcp our_external_ip:2180

tcp our_external_ip:2181

--- --- ---

alraycisco Fri, 10/10/2008 - 07:41
User Badges:

I thing the last entry in the nat translation table I posted, probably explains why internet traffic stops working. Having done some looking around it looks like, I may be able to get round the problem by using either a route-map.

I've tested the config with a route map, now a translation entry for the site-to-site vpn includes outside local and outside global entries. However, although internet traffic is now working, traffic for the remote VPN is not.

Below is a sample of my config:

route-map rmap_nat permit 1

match ip address acl_nat

route-map rmap_nat2 permit 1

match ip address acl_nat2

ip nat inside source route-map rmap_nat interface ethernet0 overload

ip nat inside source route-map rmap_nat2 pool nat_pool

attrib7575 Fri, 10/10/2008 - 07:41
User Badges:

So hosts who's traffic is destined only for you want to NAT POOL? That really looks like it should work. HMMM

alraycisco Mon, 10/13/2008 - 01:06
User Badges:


I've changed the config so only the first nat (internet nat) no longer uses the route-map but the second nat does. This allowed both sets of traffic to work. A strange behaviour I found was, I couldn't have multiple connections open to the same remote VPN client, but when I changed the nat statement to 'overload', I could open multiple connections to the same client.


This Discussion