Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2180
Views
0
Helpful
2
Replies

route-map command

Go to solution
dom.a
Level 1
Level 1

‎10-04-2005 08:11 AM - edited ‎03-09-2019 12:36 PM

hi,

I'm trying to configure router-to-router ipsec tunnel but i don't understant what mean the command :

"route-map nonat permit 10"

Can somebody explain it to me clearly ?

Regars

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
froggy3132000
Level 3
Level 3

‎10-04-2005 08:21 AM

It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address ".

View solution in original post

0 Helpful

Go to solution
jackko
Level 7
Level 7

‎10-04-2005 08:31 AM

vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.

e.g.

interface Ethernet0

ip address

ip nat inside

interface Dialer0

ip address

ip nat outside

when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.

access-list 101 deny ip

access-list 101 permit ip any

ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10

match ip address 101

with the sample above,

"access-list 101 deny ip " means the router will not nat/pat any traffic destinated at the remote net.

"access-list 101 permit ip any" means the router will nat/pat all other traffic e.g. internet

"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat

"route-map nonat permit 10

match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
froggy3132000
Level 3
Level 3

‎10-04-2005 08:21 AM

It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address ".

0 Helpful

Go to solution
jackko
Level 7
Level 7

‎10-04-2005 08:31 AM

vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.

e.g.

interface Ethernet0

ip address

ip nat inside

interface Dialer0

ip address

ip nat outside

when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.

access-list 101 deny ip

access-list 101 permit ip any

ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10

match ip address 101

with the sample above,

"access-list 101 deny ip " means the router will not nat/pat any traffic destinated at the remote net.

"access-list 101 permit ip any" means the router will nat/pat all other traffic e.g. internet

"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat

"route-map nonat permit 10

match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents