vpn between asa and cisco 877 router

Unanswered Question
Apr 27th, 2012

hi,

i am trying to setup vpn between asa and cicso 877 router (in the pas i have setupo between asa and asa, pix and pix but not between asa and router)

I am confused with the nonat concept in cisco router (for vpn).  i mean why do you need a route-map and deny the traffic. could you throw some light on this ?

cisco link

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI1

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Marcin Latosiewicz Fri, 04/27/2012 - 09:51

Same as on ASA/PIX NAT is performed before encryption and after decryption.

How you will define traffic not to his NAT (or to hit it) is up to you, routing (VTI/GRE interface), access-list or route-map.

There is no concept of "no nat" on IOS routers.

M.

ROBERTO TACCON Fri, 04/27/2012 - 10:02

!

ip nat inside source route-map nonat interface FastEthernet0 overload

!

access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 110 permit ip 10.20.10.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 110

!

or better (if you have for example the IP public 1.2.3.5)

!

ip nat pool 1.2.3.5 1.2.3.5 1.2.3.5 prefix-length 30

!

ip nat inside source list nat-to-internet pool 1.2.3.5 overload

!

ip access-list extended nat-to-internet

deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.20.10.0 0.0.0.255 any

deny   ip any any

!

Network Pro Sat, 04/28/2012 - 05:50

hi, thanks for this

what does this line do ?

ip nat inside source route-map nonat interface FastEthernet0 overload

Actions

Login or Register to take actions

This Discussion

Posted April 27, 2012 at 4:39 AM
Stats:
Replies:6 Avg. Rating:
Views:974 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard