We have a 1710 router that exists behind NAT. We don't want this router to perform NAT at all (our edge router performs NAT for us). We also have an EZVPN originating from this router to a remote router on the internet. Whenever the EZVPN renegotiates its SA, NAT gets enabled on the client router and we have to manually enter the commands:
interface ethernet 0
no ip nat outside
interface fastethernet 0
no ip nat inside
clear ip nat translations forced
To clear all the translations. This lasts until the next time the VPN reconnects or the SA gets renegotiated.
Thanks for your reply but the documentation here says that NAT gets enabled if the EZVPN is in client mode but our EZVPN is in network extension mode. There is nothing in our config that mentions enabling NAT - we don't want this router to perform NAT but it gets enabled every time the EZVPN reconnects.
The config is:
no service pad
service timestamps debug uptime
service timestamps log uptime
logging queue-limit 100
logging buffered 51200 debugging
memory-size iomem 25
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius local
I'm having just the opposite problem. I have a cisco 831 router set up @ home (connecting to a vpn 3060 at the corporate office) - I want to be able to have certain IP's on the local subnet tunnel back to the office (which works by default with my ezvpn configuration - where all traffic tunnels back to corporate) - and the rest of the hosts NAT (straight out to the internet locally - not accessing corporate resources) The configuration is pretty simple - and works.. however - everytime the tunnel goes down and back up, my ip nat inside and ip nat outside statements are REMOVED (opposite what you describe). When I enable the commands again "ip nat inside and ip nat outside" I get an error message about CNBAR... TAC has not been able to help me thus far - anybody know what CNBAR is / point me to some documentation?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :