Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT problem

Guys,

see below for part of my IOS config (had to modify because of security reasons ;)

Everything works fine, VPN Client gets address, full access to entire inside network, except the servers that have static NAT translations.

I get around the pool "mypool" NAT via the ACL and the route map statement, but I think the static NAT entries are global, so they'll happen regardless of what is in the ACL/route map?

Can someone point out the obvious please ... how do I tell the router not to use the static translation for the VPN clients (addresses obviously come from "vpnpool" for vpn clients)

Many thanks,

Gordon

interface Ethernet0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

!

!link to internal network

interface Serial0

bandwidth 1024

ip address y.y.y.y 255.255.255.252

ip nat inside

no fair-queue

clock rate 250000

dce-terminal-timing-enable

!

!link to internet

interface Serial1

no ip address

encapsulation frame-relay

no ip mroute-cache

no fair-queue

frame-relay lmi-type ansi

!

interface Serial1.1 point-to-point

ip address x.x.x.x 255.255.255.224

ip access-group 120 in

ip nat outside

no cdp enable

frame-relay interface-dlci 25 IETF

crypto map intmap

!

interface BRI0

no ip address

shutdown

!

ip local pool vpnpool 192.168.9.1 192.168.9.254

ip nat translation timeout 1800

ip nat pool mypool a.a.a.a a.a.a.a netmask 255.255.255.192

ip nat inside source route-map nonat pool mypool overload

ip nat inside source static 192.168.100.11 s.s.s.s

ip nat inside source static 192.168.100.21 s.s.s.s

access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 102 deny ip 192.168.103.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 102 permit ip 192.168.100.0 0.0.0.255 any

access-list 102 permit ip 192.168.103.0 0.0.0.255 any

route-map nonat permit 10

match ip address 102

2 REPLIES
Cisco Employee

Re: NAT problem

You need to use policy routing as in:

http://www.cisco.com/warp/customer/707/static.html

int loopback 0

ip address 1.1.1.1 255.255.255.0

interface Serial0

bandwidth 1024

ip address y.y.y.y 255.255.255.252

ip policy route-map nonat1

route-map nonat1

match ip address 102

set next hop 1.1.1.2

Then you could just do a normal source-list 1 on the

nat statement.

New Member

Re: NAT problem

Many thanks! will give it a go.

Gordon

91
Views
0
Helpful
2
Replies