Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help me understand a NAT/VPN issue

Hello all,

I've stumbled upon something that I cannot explain and I could use some help in order to understand what is happening :)

The problem, as I see it, is as follows (in short terms):

My router seems to do NAT on the return packets on an incoming connection that arrives via the VPN connection. This only happens to packets that are using ports that I have forwarded using ip nat inside source static...

I am using nat exempt for the VPN connections. The NAT exempts are working just fine except when they seem to "collide" with port forwardings.

This translation entry is listed after i try to telnet from a 10.0.0.x host to 10.45.131.23 port 80:

Cisco_1811#sh ip nat t | inc 10.0.0.

tcp 172.16.0.64:80 10.45.131.23:80 10.0.0.6:1872 10.0.0.6:1872

How can I make the router not do NAT at all on the VPN connections?

I'm suspecting it's because I'm using route-map instead of lists in the NAT overload statement.

P.S.

The router has 172.16.0.64 as its "public" ip and the config is attached to this message.

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Help me understand a NAT/VPN issue

You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx

By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.

2 REPLIES

Re: Help me understand a NAT/VPN issue

You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx

By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.

New Member

Re: Help me understand a NAT/VPN issue

kwu2 wrote:

You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx

By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.


Hi kwu2

Just wanted to thank you. You were correct

And for others in the same sitaution here is a link to a blog that describes the problem and fix.

http://www.ciskoblog.com/2008/02/static-nat-inac.html

169
Views
0
Helpful
2
Replies
This widget could not be displayed.