I use static NET to expose some servers to the internet. I created an IPSec tunnel from a remote office to the central office which worked but, the remote office could not connect to the servers that have static NAT mappings.
I added a route-map to the static mappings like this:
ip nat inside source static 192.168.12.9 126.96.36.199 route-map NATRouteMap
route-map NATRouteMap permit 1
match ip address 104
access-list 104 deny ip 192.168.12.0 0.0.0.255 192.168.11.0 0.0.0 255
access-list 104 permit ip 192.168.12.0 0.0.0.255 any
Everything seemed to work fine until e-mail started bouncing. Without the route-map on the ip nat, connections from 192.168.12.9 would have a source IP address of 188.8.131.52, exactly what the static mapping says. With the route-map, connections from 192.168.12.9 have a source IP address of 184.108.40.206 which is the external interface and pooled NAT ip address.
How can I have out bound static mapping and still access the server from the IPSec tunnel?
I added the route-map to the static NAT to allow a remote network that is using an IPSec tunnel to access the internal IP addresses. The route-map prevents NATing for packets to/from the remote IPSec network.
When packets come in from the IPSec tunnel, the replies get NATed because of the static NAT. The NATed replies don't match the IPSec selection so they don't get encrypted and sent back through the IPSec tunnel.
I see. This happens because you have another nat statement or more, and even if the route-map prevents natting on the static nat for a certain global address, it still is subject to the other.
There are probably few things that you can try:
- use a gre tunnel over ipsec so you will have better control on what is natted and what is not - tunnel interface would have no nat statment. You can reuse the crypto maps and simply add tunnel protection with gre config.
This is also the best solution as it let you add more networks go over tunnel w/o changing the crypto maps.
- use more route maps so that the pooled nat never nats for 64.233.x.x
- investigate use of virtual nat interfaces- I'm not very familiar with these anyway.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...