site to site vpn cisco1811

Answered Question
Apr 12th, 2010

Hi all,

Below is my site to site vpn configuration on cisco1811. It seem that nat exemption is not configured but my vpn still works. Can you advise how i can configure nat exemption. Thks in advance.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test 50 ipsec-isakmp
set peer 11.x.x.x
set security-association lifetime seconds 28800
set transform-set test
set pfs group2
match address testing
!
!
!
!
interface FastEthernet0
description :: connection to Public Internet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map hp
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description :: Local LAN subnet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0 overload
!
ip access-list extended testing
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
!
logging trap debugging
access-list 10 permit x.x.x.x
access-list 101 permit ip x.x.x.0 0.0.0.255 x.x.x.x 0.0.0.3

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 9 months ago

You are absolutely correct on your understanding.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 04/12/2010 - 02:49

You would need to configure deny statement between the site-to-site VPN LANs on ACL 101 for NAT exemption:

ip access-list extended 101

     1 deny ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255

donnie Mon, 04/12/2010 - 19:44

Hi halijenn,

Is there any command for nat exemption for cisco 1800 series?

In ASA we can use "nat 0".

Thks in advance.

Jennifer Halim Mon, 04/12/2010 - 19:51

Yes, it would be the "deny" statement advise earlier. Just have to make sure that the "deny" access-list comes before the "permit" access-list for your NAT statement.

donnie Tue, 04/20/2010 - 00:25

Hi Halijenn,

My apologies for late reply as i was away for reservist and have no access to internet. Could you explain why the deny statement would enable nat exemption? Thks in advance.

donnie Tue, 04/20/2010 - 02:33

Hi Halijenn,

Thk you very much. Can i confirm if my understanding below is correct.

Hence what the below configuration does is it only does NAT when 10.2.2.0/24 try to access anywhere other than 10.1.1.0/24.

Hence when 10.2.2.0/24 try to access 10.1.1.0/24, NAT is exempted

ip nat inside source route-map nonat pool branch overload

access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130

Hence instead of using route-map, i can use accesslist as shown below right?

"ip nat inside source list 130 interface ethernet0 overload"

Actions

This Discussion