10-04-2005 08:11 AM - edited 03-09-2019 12:36 PM
hi,
I'm trying to configure router-to-router ipsec tunnel but i don't understant what mean the command :
"route-map nonat permit 10"
Can somebody explain it to me clearly ?
Regars
Solved! Go to Solution.
10-04-2005 08:21 AM
It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address
10-04-2005 08:31 AM
vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.
e.g.
interface Ethernet0
ip address
ip nat inside
interface Dialer0
ip address
ip nat outside
when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.
access-list 101 deny ip
access-list 101 permit ip
ip nat inside source route-map nonat interface Dialer0 overload
route-map nonat permit 10
match ip address 101
with the sample above,
"access-list 101 deny ip
"access-list 101 permit ip
"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat
"route-map nonat permit 10
match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.
10-04-2005 08:21 AM
It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address
10-04-2005 08:31 AM
vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.
e.g.
interface Ethernet0
ip address
ip nat inside
interface Dialer0
ip address
ip nat outside
when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.
access-list 101 deny ip
access-list 101 permit ip
ip nat inside source route-map nonat interface Dialer0 overload
route-map nonat permit 10
match ip address 101
with the sample above,
"access-list 101 deny ip
"access-list 101 permit ip
"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat
"route-map nonat permit 10
match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: