07-29-2013 10:29 PM
Dear all,
here's the scenarios.
1) I have a branch site with multiple public IP
2) one of the server need to be access from other branch as well (VPN tunnel established)
3) its a cisco router
!
interface FastEthernet0/0
description outside
ip address x.x.x.3 255.255.255.248
ip nat outside
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map vpn
!
ip nat inside source static 192.168.1.100 x.x.x.4
!
ip route 0.0.0.0 0.0.0.0 x.x.x.1
!
remarks
- tunnel from branch to branch is already established
- I can access to the server RDP using public ip x.x.x.4
- but user from other branch couldnt ping or RDP to this server using 192.168.1.100
07-29-2013 11:10 PM
Your problem comes from the fact that both native and VPN traffic flows over the same NAT-enabled interface. So your NAT-statement matches also on the VPN-traffic. There are two solutions to solve that problem:
1) Migrate to VTIs. With these you have an IPSec-Interface where you don't need to enable NAT. For that, the other end also has to be an IOS-router.
2) Extend your NAT-statement with a route-map. In that route-map you specify an ACL that has deny-statements for the VPN-traffic and the traffic won't be NATted any more when flowing through the VPN.
Sent from Cisco Technical Support iPad App
07-29-2013 11:16 PM
hi karsten,
thanks for your reply.
u mean this?
i already configured this in the router.
ip nat pool test x.x.x.3 x.x.x.4 netmask 255.255.255.248
ip nat inside source route-map nonat pool test overload
!
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 30
match ip address 120
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: