Help me understand a NAT/VPN issue

Answered Question
Mar 7th, 2009
User Badges:

Hello all,


I've stumbled upon something that I cannot explain and I could use some help in order to understand what is happening :)


The problem, as I see it, is as follows (in short terms):


My router seems to do NAT on the return packets on an incoming connection that arrives via the VPN connection. This only happens to packets that are using ports that I have forwarded using ip nat inside source static...


I am using nat exempt for the VPN connections. The NAT exempts are working just fine except when they seem to "collide" with port forwardings.


This translation entry is listed after i try to telnet from a 10.0.0.x host to 10.45.131.23 port 80:


Cisco_1811#sh ip nat t | inc 10.0.0.

tcp 172.16.0.64:80 10.45.131.23:80 10.0.0.6:1872 10.0.0.6:1872


How can I make the router not do NAT at all on the VPN connections?


I'm suspecting it's because I'm using route-map instead of lists in the NAT overload statement.


P.S.


The router has 172.16.0.64 as its "public" ip and the config is attached to this message.





Attachment: 
Correct Answer by Yudong Wu about 8 years 1 month ago

You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx


By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Yudong Wu Sat, 03/07/2009 - 19:04
User Badges:
  • Gold, 750 points or more

You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx


By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.

jesper_petersen Fri, 06/18/2010 - 04:19
User Badges:

kwu2 wrote:


You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx


By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.


Hi kwu2


Just wanted to thank you. You were correct


And for others in the same sitaution here is a link to a blog that describes the problem and fix.


http://www.ciskoblog.com/2008/02/static-nat-inac.html

Actions

This Discussion