cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
317
Views
0
Helpful
3
Replies

NAT gets enabled when EZVPN reconnects

limbrickh
Level 1
Level 1

We have a 1710 router that exists behind NAT. We don't want this router to perform NAT at all (our edge router performs NAT for us). We also have an EZVPN originating from this router to a remote router on the internet. Whenever the EZVPN renegotiates its SA, NAT gets enabled on the client router and we have to manually enter the commands:

conf t

interface ethernet 0

no ip nat outside

exit

interface fastethernet 0

no ip nat inside

exit

exit

clear ip nat translations forced

To clear all the translations. This lasts until the next time the VPN reconnects or the SA gets renegotiated.

The EZVPN is in 'network extension' mode.

Any ideas?

Thanks

3 Replies 3

jsivulka
Level 5
Level 5

I'm afraid your question is not too clear. The documentation for the Cisco Easy VPN Remote Feature might help. It is located at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122ya/122ya4/ftezvpcm.htm. Hope this helps.

Thanks for your reply but the documentation here says that NAT gets enabled if the EZVPN is in client mode but our EZVPN is in network extension mode. There is nothing in our config that mentions enabling NAT - we don't want this router to perform NAT but it gets enabled every time the EZVPN reconnects.

The config is:

!

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname CHC4-RTR1

!

logging queue-limit 100

logging buffered 51200 debugging

!

memory-size iomem 25

clock timezone NZST 12

clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default group radius local

aaa authorization network default group radius local

aaa authorization network xxx local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

ip tcp synwait-time 10

ip domain name xxx.xxx

ip name-server xxx.xxx.xxx.xxx

ip name-server xxx.xxx.xxx.xxx

ip name-server xxx.xxx.xxx.xxx

!

no ip bootp server

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

crypto ipsec security-association lifetime seconds 86400

!

!

!

!

crypto ipsec client ezvpn CentralNode

connect auto

group tmvpn key xxxxxxxxxxxxxx

mode network-extension

peer xxx.xxx.xxx.xxx

!

!

!

!

!

interface Loopback0

ip address xxx.xxx.xxx.xxx 255.255.255.0

!

interface Ethernet0

description DMZ Interface

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip route-cache flow

ip tcp adjust-mss 1375

full-duplex

crypto ipsec client ezvpn CentralNode

!

interface FastEthernet0

description Internal Interface

ip address xxx.xxx.xxx.xxx 255.255.0.0

ip route-cache flow

ip tcp adjust-mss 1375

speed 100

full-duplex

crypto ipsec client ezvpn CentralNode inside

!

ip nat Stateful id 1

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0 xxx.xxx.xxx.xxx permanent

ip http server

ip http authentication local

ip http secure-server

!

dialer-list 1 protocol ip permit

!

radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646

radius-server retransmit 2

radius-server authorization permit missing Service-Type

banner motd ^CWelcome^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

end

jkittle
Level 1
Level 1

I'm having just the opposite problem. I have a cisco 831 router set up @ home (connecting to a vpn 3060 at the corporate office) - I want to be able to have certain IP's on the local subnet tunnel back to the office (which works by default with my ezvpn configuration - where all traffic tunnels back to corporate) - and the rest of the hosts NAT (straight out to the internet locally - not accessing corporate resources) The configuration is pretty simple - and works.. however - everytime the tunnel goes down and back up, my ip nat inside and ip nat outside statements are REMOVED (opposite what you describe). When I enable the commands again "ip nat inside and ip nat outside" I get an error message about CNBAR... TAC has not been able to help me thus far - anybody know what CNBAR is / point me to some documentation?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: