Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router to Router VPN, NAT and Statics

Hi,

I've got a two site VPN using routers. The VPN itself is fine, BUT - at the Head Office end, the customer has static NAT entries to allow incoming connections - any service which has a static NAT to allow incoming connections from the Internet is similarly inaccessible. Ping, for example, does not have this problem as there is no static NAT entry. I have tried to configure a "no-nat" route-map as per http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ef.shtml which I thought was working.

H.O. has the IP's 131.203.64.0/24 and 135.0.0.0/24 (I know, I know - I'm trying to get them to change), and the R.O. has 192.168.1.0/24.

Bits of config:

ip nat inside source route-map NONAT interface Ethernet0 overload

ip nat inside source static tcp 135.0.0.248 3389 131.203.100.27 3389 extendable

(other statics removed)

ip access-list extended Int-E0-In

permit ip 192.168.1.0 0.0.0.255 any

(other entries removed)

access-list 198 deny ip 131.203.64.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 198 deny ip 135.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 198 permit ip 135.0.0.0 0.0.0.255 any

route-map NONAT permit 10

match ip address 198

1. Removing the static entry for the shown host fixes the VPN problem, but obviously breaks other things :(

2. As mentioned, the VPN itself works fine, I can ping any of the hosts perfectly.

Any help greatly appreciated :)

Thanks,

Mike.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Router to Router VPN, NAT and Statics

You need to use the route-map option for the static nat. This is a new feature in 12.2(4)T according to this page:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1_i2g.htm#1079180

It should do exactly what you want. The other, old way to do this is to use "The Trick", where you create a loopback interface and don't make it a nat interface and use policy routing to route your VPN traffic to an address on the same subnet as the loopback interface but not the loopback's address. IOS will then re-route that traffic to the real destination (in this case the remote VPN site), but since now it's not coming from an "ip nat inside" interface, the static nat translations won't apply and the VPN traffic won't be translated. The problem with this solution is that all loopback traffic is process-switched, so it's a bit of a hack, but sometimes such things are necessary.

HTH

2 REPLIES
Bronze

Re: Router to Router VPN, NAT and Statics

You need to use the route-map option for the static nat. This is a new feature in 12.2(4)T according to this page:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1_i2g.htm#1079180

It should do exactly what you want. The other, old way to do this is to use "The Trick", where you create a loopback interface and don't make it a nat interface and use policy routing to route your VPN traffic to an address on the same subnet as the loopback interface but not the loopback's address. IOS will then re-route that traffic to the real destination (in this case the remote VPN site), but since now it's not coming from an "ip nat inside" interface, the static nat translations won't apply and the VPN traffic won't be translated. The problem with this solution is that all loopback traffic is process-switched, so it's a bit of a hack, but sometimes such things are necessary.

HTH

New Member

Re: Router to Router VPN, NAT and Statics

That's what I thought I'd done, but the static translation seems to take precedence, even with the route-map in place. The router is running 12.2.(11)T2, btw.

172
Views
0
Helpful
2
Replies
CreatePlease login to create content