Thank you in advance for any help you can provide.
I have a server with an IP address of 192.168.1.9 that needs to access a remote subnet of 192.168.50.0/24, across the Internet. However, before the server can access the remote subnet, the server's IP address needs to be NAT'ed to 10.1.0.1 because the remote VPN gateway (which is not under my control) provides access to other clients that have the same subnet addressing that we do on our LAN.
We have a Cisco 2801 (running c2801-advsecurityk9-mz.124-15.T9.bin) configured to do the NAT. This is the only gateway on our network.
I have configured the Cisco 2801 with the following NAT statements and relevant access lists:
access-list 106 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255
ip access-list extended NAT
deny ip host 192.168.1.9 192.168.50.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
route-map ISP permit 10
match ip address NAT
ip nat pool EMDVPN 10.1.0.1 10.1.0.1 netmask 255.255.255.0
ip nat inside source list 106 pool EMDVPN
ip nat inside source route-map ISP interface FastEthernet0/1 overload
When the server (192.168.1.9) attempts to ping devices on the 192.168.50.0/24 subnet, the VPN tunnel is successfully established. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed from the external IP of the router (FastEthernet0/1) to 10.1.0.1.
The documentation I've seen on Cisco's site tells me that this type of configuration only allows for host to subnet communication. Internet access is not possible. However, perhaps I've missed something or one of you experts can enlighten me. Is there any way to configure the router to NAT the traffic destined for the VPN tunnel and still access the Internet using the dynamic NAT on FastEthernet0/1?
Again, thank you for any help you can give.
Glad i could help you...
The overload statement you used earlier looks good to me. Whenever you make changes in NAT rules be sure of clearing the nat translations for the ip address/subnet for which rule is defined on router to ensure router creates the correct translation considering all ip nat rules configured on the device. So, when you took your statement off and put mine in. Router created a new translation for the host ip which was correct this time. You can either use a router map or you can make an acl for NAT overload. Both works. I prefer using an ACL than a route map for overload statement.
When i started playing with NAT on routers trust me i had a bad time too understanding the NAT Order of operation. Here is what i followed to make things more clear for myself. I did plenty of lab recreates and played with multiple keywords within the NAT statements on router. For instance " extendable'.
Below are some documents i used when i started with (and to be honest i still refer them whenever it is required), they might help you too in future.
Beginner's guide for NAT
NAT order of operation
Route maps with Static Translations
Hope this helps...
P.S : For all users whenever you post your questions and the solution given to you works, please make sure you rate it. That helps other users with same query to get their answers in less time rather posting a new thread for same thing and waiting for answers. This saves time for both author and the person who replies to it.
Instead of using a pool for NAT
192.168.1.9 -- 10.1.0.1 >> 192.168.50.x
acl 102 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255
route-map RM-STATIC-NAT permit 10
match ip address 102
ip nat inside source static 192.168.1.9 10.1.0.1 route-map RM-STATIC-NAT extendable
acl 101 deny ip host 192.168.1.9 192.168.50.0 0.0.0.255
acl 101 per ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/1 overload
***VPN access-list will use the source as 10.1.0.1...***
Lemme know if this works.