Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2984
Views
3
Helpful
3
Replies

Excluding one destination from nat

kyriacossakkas
Level 1
Level 1

‎10-26-2005 12:44 AM - edited ‎02-21-2020 12:29 AM

CISCO 800 IOS 12.3

Hi, I have several VPNs set up between my site and the sites of asociates. The original requirements were for me to have two public IPs for this setup, ne which is a real interface (and the tunnel endpoint), and one which is used for nating my internal private adress onto, so that my internal machine can be reached by normal routing from sites which I do not have a VPN with.

My problem is that I now need to create a new VPN with a site that needs to see my private adreess through the tunnel.

So is there a way to have nating in place exept when talking with one specific peer ?

All conections will be initiated by me and directed to this peers provate IP address.

The tunnel is in place, and through ping, we know that he sees my request, but for him they apear from my second public IP, which he can not route to his internal network. Having them nat their side in order for us to talk with them from our public address is not an option (we count as client-side in this setup) .

0 Helpful
3 Replies 3

bobd
Level 1
Level 1

‎10-27-2005 09:29 AM

The Cisco IOS allows you to use NAT exclusions through the use of ACLs. For example, if your network is 192.168.1.0 and the remote network that you do not want to NAT to is 192.168.2.0 then the commands would be:

access-list 101 deny ip 192.168.1.0 255.255.255.0 192.168.2.x 255.255.255.255 (where x is the ip of the host to exclude)

access-list 101 permit ip 192.168.1.0 255.255.255.0 any (permit for everything else)

nat inside source list 101 interface (apply NAT)

Post your config if this isn't helpful and I will take a closer look at it.

Bob

kyriacossakkas
Level 1
Level 1
In response to bobd

‎10-31-2005 07:53 AM

Hi, got the local CISCO rep to come over, and he tried something like what you describe, but for some reason it did not work, nating kept taking place on all traffic. Here are parts of my config, which include his modifications:

interface Ethernet0

description Connection to SMSC Client Application

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip mroute-cache

no cdp enable

hold-queue 32 in

ip classless

ip route 0.0.0.0 0.0.0.0 212.xxx.xxx.209

ip route 192.168.7.17 255.255.255.255 80.xxx.xxx.xxx

no ip http server

no ip http secure-server

ip nat pool mypool 212.xxx.xxx.213 212.xxx.xxx.213 prefix-length 30

ip nat inside source list 110 pool mypool

access-list 110 deny ip host 192.168.0.10 host 192.168.7.17

access-list 110 permit ip host 192.168.0.10 any

Hope this makes sence, even with the snipping and masking.

Thanks in advance to anybody that might spot where we are going wrong.

0 Helpful

bobd
Level 1
Level 1
In response to kyriacossakkas

‎10-31-2005 09:26 AM

If there was already a NAT translation in place when you implemented the ACL, you may need to clear the existing translations.

clear ip nat trans *

the ACL in your snip should exclude traffic coming from 192.168.0.10 to 192.168.7.17 from NAT and NAT everything else from the same host.

Looks like it shoudl work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card