06-06-2007 07:30 PM - edited 03-05-2019 04:32 PM
Hi,
We have a head office router configured with a static nat 192.168.1.1:3389 from WANip:3389, and a VPN connection to a remote site.
From the remote site, we cannot access 192.168.1.1:3389, because the head office router will NAT out that outbound traffic.
I've read that routemaps will do the trick, but our routemap ACL skipstaticNAT doesn't seem to be being picking up the traffic.
Attached is the relevant config for the router.
Thank you,
Tiang
Solved! Go to Solution.
06-08-2007 03:44 AM
Not sure if this will work but did you try this.
route-map nat_eligible_dialer deny 10
match ip address vpn-BypassNAT
match interface Dialer1
route-map nat_eligible_dialer permit 20
match ip address vpn-NAT
match interface Dialer1
ip access-list extended vpn-BypassNAT
deny ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255
ip access-list extended vpn-NAT
permit ip host 192.168.14.9 any
permit ip 192.168.13.0 0.0.0.255 any
permit ip 192.168.50.64 0.0.0.7 any
permit ip 192.168.50.0 0.0.0.255 host 61.88.166.3
permit ip 192.168.50.0 0.0.0.255 host 61.88.166.5
permit ip 192.168.14.64 0.0.0.7 any
permit ip host 192.168.14.1 any
permit ip host 192.168.100.1 any
permit ip host 192.168.50.9 any
permit ip 192.168.14.0 0.0.0.255 any log
06-06-2007 11:58 PM
Hi,
Let's configure something like this on the head office router:
ip nat inside source route-map nonat interface WAN overload
route-map nonat permit 10
match ip address 110
access-list 110 deny tcp host 192.168.1.1 eq 3389 remote networks
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
So the NAT won't be applied to the traffic from 192.168.1.1:3389 to any remote subnet, but will be applied to any other traffic.
You can still use the static NAT for 192.168.1.1:3389 from WANip:3389 because these two can work together (I think).
Hope it helps, rate if does
Krisztian
06-07-2007 12:05 AM
Thanks for your reply.
That config is already in the router.
192.168.13.x is the local network. The service is on 192.168.13.13:3389.
192.168.15.x is the remote site network.
ip nat inside source route-map nat_eligible interface FastEthernet0/0 overload
route-map nat_eligible_dialer permit 10
match ip address vpn-BypassNAT
match interface Dialer1
ip access-list extended vpn-BypassNAT
deny ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip host 192.168.14.9 any
permit ip 192.168.13.0 0.0.0.255 any
permit ip 192.168.50.64 0.0.0.7 any
permit ip 192.168.50.0 0.0.0.255 host 61.88.166.3
permit ip 192.168.50.0 0.0.0.255 host 61.88.166.5
permit ip 192.168.14.64 0.0.0.7 any
permit ip host 192.168.14.1 any
permit ip host 192.168.100.1 any
permit ip host 192.168.50.9 any
permit ip 192.168.14.0 0.0.0.255 any log
06-08-2007 03:44 AM
Not sure if this will work but did you try this.
route-map nat_eligible_dialer deny 10
match ip address vpn-BypassNAT
match interface Dialer1
route-map nat_eligible_dialer permit 20
match ip address vpn-NAT
match interface Dialer1
ip access-list extended vpn-BypassNAT
deny ip 192.168.13.0 0.0.0.255 192.168.15.0 0.0.0.255
ip access-list extended vpn-NAT
permit ip host 192.168.14.9 any
permit ip 192.168.13.0 0.0.0.255 any
permit ip 192.168.50.64 0.0.0.7 any
permit ip 192.168.50.0 0.0.0.255 host 61.88.166.3
permit ip 192.168.50.0 0.0.0.255 host 61.88.166.5
permit ip 192.168.14.64 0.0.0.7 any
permit ip host 192.168.14.1 any
permit ip host 192.168.100.1 any
permit ip host 192.168.50.9 any
permit ip 192.168.14.0 0.0.0.255 any log
06-10-2007 06:22 PM
Thank you. Will try this at the next change window, and let u know.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: