Hi, I have several VPNs set up between my site and the sites of asociates. The original requirements were for me to have two public IPs for this setup, ne which is a real interface (and the tunnel endpoint), and one which is used for nating my internal private adress onto, so that my internal machine can be reached by normal routing from sites which I do not have a VPN with.
My problem is that I now need to create a new VPN with a site that needs to see my private adreess through the tunnel.
So is there a way to have nating in place exept when talking with one specific peer ?
All conections will be initiated by me and directed to this peers provate IP address.
The tunnel is in place, and through ping, we know that he sees my request, but for him they apear from my second public IP, which he can not route to his internal network. Having them nat their side in order for us to talk with them from our public address is not an option (we count as client-side in this setup) .
The Cisco IOS allows you to use NAT exclusions through the use of ACLs. For example, if your network is 192.168.1.0 and the remote network that you do not want to NAT to is 192.168.2.0 then the commands would be:
access-list 101 deny ip 192.168.1.0 255.255.255.0 192.168.2.x 255.255.255.255 (where x is the ip of the host to exclude)
access-list 101 permit ip 192.168.1.0 255.255.255.0 any (permit for everything else)
nat inside source list 101 interface (apply NAT)
Post your config if this isn't helpful and I will take a closer look at it.
Hi, got the local CISCO rep to come over, and he tried something like what you describe, but for some reason it did not work, nating kept taking place on all traffic. Here are parts of my config, which include his modifications:
description Connection to SMSC Client Application
ip address 192.168.0.1 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 32 in
ip route 0.0.0.0 0.0.0.0 212.xxx.xxx.209
ip route 192.168.7.17 255.255.255.255 80.xxx.xxx.xxx
no ip http server
no ip http secure-server
ip nat pool mypool 212.xxx.xxx.213 212.xxx.xxx.213 prefix-length 30
ip nat inside source list 110 pool mypool
access-list 110 deny ip host 192.168.0.10 host 192.168.7.17
access-list 110 permit ip host 192.168.0.10 any
Hope this makes sence, even with the snipping and masking.
Thanks in advance to anybody that might spot where we are going wrong.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :