NAT 0 Question?

Answered Question
Jun 30th, 2010
User Badges:

                        Hello All,


                                    I have a 2851 Router. I am in the process of setting up a VPN. I have already created the ACL for my VPN interetsting traffic but, need to know how to disable NAT for my traffic going accross the site to site VPN?

Correct Answer by John Blakley about 6 years 8 months ago

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.


Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.


ip nat insid source route-map NAT inte s0/0


access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any


route-map NAT permit 5

match ip address 100



HTH,

John

Correct Answer by Edison Ortiz about 6 years 8 months ago

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.


NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.


Regards,


Edison

Correct Answer by Edison Ortiz about 6 years 8 months ago

Don't include that traffic on the ACL

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Edison Ortiz Wed, 06/30/2010 - 09:58
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Don't include that traffic on the ACL

Correct Answer
Edison Ortiz Wed, 06/30/2010 - 10:23
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.


NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.


Regards,


Edison

Correct Answer
John Blakley Wed, 06/30/2010 - 10:23
User Badges:
  • Purple, 4500 points or more

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.


Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.


ip nat insid source route-map NAT inte s0/0


access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any


route-map NAT permit 5

match ip address 100



HTH,

John

Actions

This Discussion