10-10-2008 02:58 AM - edited 03-06-2019 01:51 AM
Hi,
I have the config below on my router. I would like to PAT users to the outside interface for internet traffic and NAT them to a nat pool for a site-to-site VPN. When I add the second nat statement for the NAT pool, the internet nat stops working, however, the second nat works.
Can anyone tell me the the config below should work?
Thanks
interface e0
desc outside
ip nat outside
interface e1
desc inside
ip nat inside
ip access-list extended acl_nat
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended acl_nat2
permit ip 192.168.1.0 0.0.0.255 host 10.1.1.1
!
ip nat pool nat_pool 192.168.10.1 192.168.10.10 netmask 255.255.255.0
!
ip nat inside source list acl_nat interface Ethernet0 overload
ip nat inside source list acl_nat2 pool nat_pool
10-10-2008 05:14 AM
It looks like the problem only occurs when there's an active translation for the nat pool.
This is the output of show ip nat transaltaions:
Pro Inside global Inside local Outside local Outside global
tcp our_external_ip:2178 192.168.1.230:2178 84.53.137.11:80 84.53.137.11:80
tcp our_external_ip:2179 192.168.1.230:2179 84.53.137.11:80 84.53.137.11:80
tcp our_external_ip:2180 192.168.1.230:2180 84.53.137.11:80 84.53.137.11:80
tcp our_external_ip:2181 192.168.1.230:2181 84.53.137.11:80 84.53.137.11:80
--- 192.168.10.1 192.168.1.230 --- ---
10-10-2008 07:41 AM
I thing the last entry in the nat translation table I posted, probably explains why internet traffic stops working. Having done some looking around it looks like, I may be able to get round the problem by using either a route-map.
I've tested the config with a route map, now a translation entry for the site-to-site vpn includes outside local and outside global entries. However, although internet traffic is now working, traffic for the remote VPN is not.
Below is a sample of my config:
route-map rmap_nat permit 1
match ip address acl_nat
route-map rmap_nat2 permit 1
match ip address acl_nat2
ip nat inside source route-map rmap_nat interface ethernet0 overload
ip nat inside source route-map rmap_nat2 pool nat_pool
10-10-2008 07:41 AM
So hosts who's traffic is destined only for
10.1.1.1 you want to NAT POOL? That really looks like it should work. HMMM
10-13-2008 01:06 AM
Hi,
I've changed the config so only the first nat (internet nat) no longer uses the route-map but the second nat does. This allowed both sets of traffic to work. A strange behaviour I found was, I couldn't have multiple connections open to the same remote VPN client, but when I changed the nat statement to 'overload', I could open multiple connections to the same client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide