04-09-2002 06:02 PM - edited 03-08-2019 10:16 PM
Guys,
see below for part of my IOS config (had to modify because of security reasons ;)
Everything works fine, VPN Client gets address, full access to entire inside network, except the servers that have static NAT translations.
I get around the pool "mypool" NAT via the ACL and the route map statement, but I think the static NAT entries are global, so they'll happen regardless of what is in the ACL/route map?
Can someone point out the obvious please ... how do I tell the router not to use the static translation for the VPN clients (addresses obviously come from "vpnpool" for vpn clients)
Many thanks,
Gordon
interface Ethernet0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
!link to internal network
interface Serial0
bandwidth 1024
ip address y.y.y.y 255.255.255.252
ip nat inside
no fair-queue
clock rate 250000
dce-terminal-timing-enable
!
!link to internet
interface Serial1
no ip address
encapsulation frame-relay
no ip mroute-cache
no fair-queue
frame-relay lmi-type ansi
!
interface Serial1.1 point-to-point
ip address x.x.x.x 255.255.255.224
ip access-group 120 in
ip nat outside
no cdp enable
frame-relay interface-dlci 25 IETF
crypto map intmap
!
interface BRI0
no ip address
shutdown
!
ip local pool vpnpool 192.168.9.1 192.168.9.254
ip nat translation timeout 1800
ip nat pool mypool a.a.a.a a.a.a.a netmask 255.255.255.192
ip nat inside source route-map nonat pool mypool overload
ip nat inside source static 192.168.100.11 s.s.s.s
ip nat inside source static 192.168.100.21 s.s.s.s
access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 deny ip 192.168.103.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 102 permit ip 192.168.103.0 0.0.0.255 any
route-map nonat permit 10
match ip address 102
04-09-2002 08:08 PM
You need to use policy routing as in:
http://www.cisco.com/warp/customer/707/static.html
int loopback 0
ip address 1.1.1.1 255.255.255.0
interface Serial0
bandwidth 1024
ip address y.y.y.y 255.255.255.252
ip policy route-map nonat1
route-map nonat1
match ip address 102
set next hop 1.1.1.2
Then you could just do a normal source-list 1 on the
nat statement.
04-09-2002 11:06 PM
Many thanks! will give it a go.
Gordon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: