Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
6
Replies

NAT 0 Question?

Go to solution
Charlie Mayes
Level 1
Level 1

‎06-30-2010 09:54 AM - edited ‎03-04-2019 08:56 AM

                        Hello All,

                                    I have a 2851 Router. I am in the process of setting up a VPN. I have already created the ACL for my VPN interetsting traffic but, need to know how to disable NAT for my traffic going accross the site to site VPN?

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎06-30-2010 09:58 AM

Don't include that traffic on the ACL

View solution in original post

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Charlie Mayes

‎06-30-2010 10:23 AM

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.

NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.

Regards,

Edison

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Charlie Mayes

‎06-30-2010 10:23 AM

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.

Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.

ip nat insid source route-map NAT inte s0/0

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

route-map NAT permit 5

match ip address 100

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎06-30-2010 09:58 AM

Don't include that traffic on the ACL

0 Helpful

Go to solution
Charlie Mayes
Level 1
Level 1
In response to Edison Ortiz

‎06-30-2010 10:02 AM

                     I don't understand?

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame
In response to Charlie Mayes

‎06-30-2010 10:23 AM

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.

NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.

Regards,

Edison

0 Helpful

Go to solution
Charlie Mayes
Level 1
Level 1
In response to Edison Ortiz

‎06-30-2010 11:08 AM

                      Thanks Mr. Ortiz.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Charlie Mayes

‎06-30-2010 10:23 AM

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.

Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.

ip nat insid source route-map NAT inte s0/0

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

route-map NAT permit 5

match ip address 100

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Charlie Mayes
Level 1
Level 1
In response to John Blakley

‎06-30-2010 11:08 AM

                     Thanks John.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card