Solved: Re: Static NATS, VPN + Routemap

tiangcheng · ‎06-06-2007

Hi,

We have a head office router configured with a static nat 192.168.1.1:3389 from WANip:3389, and a VPN connection to a remote site.

From the remote site, we cannot access 192.168.1.1:3389, because the head office router will NAT out that outbound traffic.

I've read that routemaps will do the trick, but our routemap ACL skipstaticNAT doesn't seem to be being picking up the traffic.

Attached is the relevant config for the router.

Thank you,

Tiang

paulcian_2 · ‎06-08-2007

Not sure if this will work but did you try this.

route-map nat_eligible_dialer deny 10

match ip address vpn-BypassNAT

match interface Dialer1

route-map nat_eligible_dialer permit 20

match ip address vpn-NAT

match interface Dialer1

ip access-list extended vpn-BypassNAT

deny ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255

ip access-list extended vpn-NAT

permit ip host 192.168.14.9 any

permit ip 192.168.13.0 0.0.0.255 any

permit ip 192.168.50.64 0.0.0.7 any

permit ip 192.168.50.0 0.0.0.255 host 61.88.166.3

permit ip 192.168.50.0 0.0.0.255 host 61.88.166.5

permit ip 192.168.14.64 0.0.0.7 any

permit ip host 192.168.14.1 any

permit ip host 192.168.100.1 any

permit ip host 192.168.50.9 any

permit ip 192.168.14.0 0.0.0.255 any log

View solution in original post

kerek · ‎06-06-2007

Hi,

Let's configure something like this on the head office router:

ip nat inside source route-map nonat interface WAN overload

route-map nonat permit 10

match ip address 110

access-list 110 deny tcp host 192.168.1.1 eq 3389 remote networks

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

So the NAT won't be applied to the traffic from 192.168.1.1:3389 to any remote subnet, but will be applied to any other traffic.

You can still use the static NAT for 192.168.1.1:3389 from WANip:3389 because these two can work together (I think).

Hope it helps, rate if does

Krisztian

tiangcheng · ‎06-07-2007

Thanks for your reply.

That config is already in the router.

192.168.13.x is the local network. The service is on 192.168.13.13:3389.

192.168.15.x is the remote site network.

ip nat inside source route-map nat_eligible interface FastEthernet0/0 overload

route-map nat_eligible_dialer permit 10

match ip address vpn-BypassNAT

match interface Dialer1

ip access-list extended vpn-BypassNAT

deny ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255

permit ip host 192.168.14.9 any

permit ip 192.168.13.0 0.0.0.255 any

permit ip 192.168.50.64 0.0.0.7 any

permit ip 192.168.50.0 0.0.0.255 host 61.88.166.3

permit ip 192.168.50.0 0.0.0.255 host 61.88.166.5

permit ip 192.168.14.64 0.0.0.7 any

permit ip host 192.168.14.1 any

permit ip host 192.168.100.1 any

permit ip host 192.168.50.9 any

permit ip 192.168.14.0 0.0.0.255 any log

paulcian_2 · ‎06-08-2007

Not sure if this will work but did you try this.

route-map nat_eligible_dialer deny 10

match ip address vpn-BypassNAT

match interface Dialer1

route-map nat_eligible_dialer permit 20

match ip address vpn-NAT

match interface Dialer1

ip access-list extended vpn-BypassNAT

deny ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255

ip access-list extended vpn-NAT

permit ip host 192.168.14.9 any

permit ip 192.168.13.0 0.0.0.255 any

permit ip 192.168.50.64 0.0.0.7 any

permit ip 192.168.50.0 0.0.0.255 host 61.88.166.3

permit ip 192.168.50.0 0.0.0.255 host 61.88.166.5

permit ip 192.168.14.64 0.0.0.7 any

permit ip host 192.168.14.1 any

permit ip host 192.168.100.1 any

permit ip host 192.168.50.9 any

permit ip 192.168.14.0 0.0.0.255 any log

tiangcheng · ‎06-10-2007

Thank you. Will try this at the next change window, and let u know.