vpn between asa and cisco 877 router

Unanswered Question
Apr 27th, 2012
User Badges:

hi,


i am trying to setup vpn between asa and cicso 877 router (in the pas i have setupo between asa and asa, pix and pix but not between asa and router)


I am confused with the nonat concept in cisco router (for vpn).  i mean why do you need a route-map and deny the traffic. could you throw some light on this ?


cisco link


http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI1

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Fri, 04/27/2012 - 09:51
User Badges:
  • Cisco Employee,

Same as on ASA/PIX NAT is performed before encryption and after decryption.


How you will define traffic not to his NAT (or to hit it) is up to you, routing (VTI/GRE interface), access-list or route-map.

There is no concept of "no nat" on IOS routers.


M.

ROBERTO TACCON Fri, 04/27/2012 - 10:02
User Badges:

!

ip nat inside source route-map nonat interface FastEthernet0 overload

!

access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 110 permit ip 10.20.10.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 110

!



or better (if you have for example the IP public 1.2.3.5)



!

ip nat pool 1.2.3.5 1.2.3.5 1.2.3.5 prefix-length 30

!

ip nat inside source list nat-to-internet pool 1.2.3.5 overload

!

ip access-list extended nat-to-internet

deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.20.10.0 0.0.0.255 any

deny   ip any any

!

Network Pro Sat, 04/28/2012 - 05:50
User Badges:

hi, thanks for this


what does this line do ?


ip nat inside source route-map nonat interface FastEthernet0 overload

Actions

This Discussion

Related Content