Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
3
Replies

Tunnel + Static NAT problem

Go to solution
l.cabral
Level 1
Level 1

‎01-02-2003 12:14 PM - edited ‎03-09-2019 01:33 AM

Hi:

I've configured a Pix501 to establish a site-to-site tunnel with a 1710 in the central site and it works fine, except for one little problem. The central site hosts a Domino server which needs to have an static nat entry to allow servers in the internet to deliver mail to it. So, the problem is that although I created a route-map to avoid nat in site-to-site traffic, the static entry seems to takes precedence over the route-map and the mail server is always nated. So the SOHO can't access him. What can I do to solve this?

I need to use an entry like this:

ip nat inside static source tcp 172.16.34.22 1352 200.212.0.66 1352

Any help?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jfrahim
Level 5
Level 5

‎01-02-2003 12:37 PM

you need to do the following:

1) create a loopback interface with some ip subnet that you are not using anywhere in your network. Let;s say 10.10.10.0/30 :

int loop 0

ip address 10.10.10.1 255.255.255.252

2) create a route-map to match the traffic originated by the 172.16.34.22 server and destined to the other side of the tunnel

access-list 101 permit ip host 172.16.34.22 192.168.0.0 255.255.255.0

route-map static permit 10

match ip address 101

set ip next-hop 10.10.10.2 ( some address towards the loopback interface )

3) apply the route-map to the inside inteface of the router where you have the server

inter e0/0

ip policy route-map static

That's it

Hope that helps

Jazib

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jfrahim
Level 5
Level 5

‎01-02-2003 12:37 PM

you need to do the following:

1) create a loopback interface with some ip subnet that you are not using anywhere in your network. Let;s say 10.10.10.0/30 :

int loop 0

ip address 10.10.10.1 255.255.255.252

2) create a route-map to match the traffic originated by the 172.16.34.22 server and destined to the other side of the tunnel

access-list 101 permit ip host 172.16.34.22 192.168.0.0 255.255.255.0

route-map static permit 10

match ip address 101

set ip next-hop 10.10.10.2 ( some address towards the loopback interface )

3) apply the route-map to the inside inteface of the router where you have the server

inter e0/0

ip policy route-map static

That's it

Hope that helps

Jazib

0 Helpful

Go to solution
l.cabral
Level 1
Level 1
In response to jfrahim

‎01-03-2003 03:53 AM

Thanks a lot, your answer was very helpfull. By the way, is there a page that shows a state machine of router processes? It will be really helpfull to know in wich order the router performs routing and nat steps.

Regards,

0 Helpful
Customers Also Viewed These Support Documents