Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site2Site VPN or NAT issue

I have a site to site vpn from an 877 to an 1841. Everything works fine for the VPN but I am having problems with allowing access from the internet to internal servers on the LAN attached to the 1841.

If I add an ip nat inside statement for a service (for example RDP) the that service stops working over the VPN. It does work from the internet however.

Is this a NAT issue of some sort?

I've attached the bland config of the 1841 removing references to client specifics, and bits not relevant to this problem.

Thanks for any assistance.

6 REPLIES

Re: Site2Site VPN or NAT issue

Yes you need to use a route-map with your NAT statements.

The route-map option can be used to translate only traffic going to the public network, and not translate traffic destined for the VPN.

New Member

Re: Site2Site VPN or NAT issue

Is this what I need here:

Make sure that your device is configured to use the NAT Exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and Remote Access configurations.

Here, an IOS router is configured to exempt traffic that is sent between 192.168.100.0 /24 and 192.168.200.0 /24 or 192.168.1.0 /24 from NAT. Traffic destined for anywhere else is subject to NAT overload:

access-list 110 deny ip 192.168.100.0 0.0.0.255

192.168.200.0 0.0.0.255

access-list 110 deny ip 192.168.100.0 0.0.0.255

192.168.1.0 0.0.0.255

access-list 110 permit ip 192.168.100.0 0.0.0.255 any

route-map nonat permit 10

match ip address 110

ip nat inside source route-map nonat interface FastEthernet0/0 overload

It is taken from this link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#topic1

Thanks

Re: Site2Site VPN or NAT issue

Yes, but you need to use the route-map with your static command. This example is for dynamic NAT (PAT).

You just add a route-map statement to the end of the static command. Lookup the nat inside command in the manual.

Configure the route-map like in the example to DENY traffic destined for the vpn and permit everything else.

New Member

Re: Site2Site VPN or NAT issue

One last question: Does it need to be on both ends of the VPN or just the end where the services that I am trying to reach are located?

Re: Site2Site VPN or NAT issue

Only where the static NAT is.

The other end (client) will always try to reach the services using the real ip address, you need to make sure that the traffic coming back is NOT translated.

New Member

Re: Site2Site VPN or NAT issue

Hi,

Thank you very much for your help. Even though your answer wasn't the one it did start me on the right track. The problem with using the route-map command with the static nat command is that it wasn't supported in the IOS version i had.

I found this suggestion from 2004 which has resolved the problem which I've posted here in case others need it.

----------

Create a loopback interface without the ip nat statement

interface loopback 0

ip address 1.1.1.1 255.255.255.0

Create an access list to match the traffic that is being inadvertantly

nat'ed

access-list 199 permit ip host 10.10.1.203 y.y.y.0 0.0.0.255

the host is private ip because nat has not happened yet, you could be more

specific and do tcp and port but probably will make this more confusing.

y.y.y is your network and I assumed class c.

Create a route-map to match the traffic and set the next hop out the loop

int.

route-map lanint permit 10

match ip address 199

set ip next-hop 1.1.1.2

Bind the route-map to your lan int

interface ?

ip policy route-map lanint

----------------

122
Views
0
Helpful
6
Replies
CreatePlease to create content