NAT 0 Question?

Answered Question
Jun 30th, 2010

                        Hello All,

                                    I have a 2851 Router. I am in the process of setting up a VPN. I have already created the ACL for my VPN interetsting traffic but, need to know how to disable NAT for my traffic going accross the site to site VPN?

I have this problem too.
0 votes
Correct Answer by John Blakley about 6 years 5 months ago

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.

Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.

ip nat insid source route-map NAT inte s0/0

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

route-map NAT permit 5

match ip address 100

HTH,

John

Correct Answer by Edison Ortiz about 6 years 5 months ago

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.

NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.

Regards,

Edison

Correct Answer by Edison Ortiz about 6 years 5 months ago

Don't include that traffic on the ACL

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Edison Ortiz Wed, 06/30/2010 - 10:23

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.

NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.

Regards,

Edison

Correct Answer
John Blakley Wed, 06/30/2010 - 10:23

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.

Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.

ip nat insid source route-map NAT inte s0/0

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

route-map NAT permit 5

match ip address 100

HTH,

John

Actions

This Discussion