Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

nat (outside,outside) dynamic interface, equivalent in IOS

For a remote vpn user who just want to access the internet for now. now I know you have to put the following in config when using ASA, what is the equivalent in IOS?

nat (outside,outside) dynamic interface.

thanks,

Han

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

nat (outside,outside) dynamic interface, equivalent in IOS

Hello Han,

you are correct.!

Harish.

9 REPLIES

nat (outside,outside) dynamic interface, equivalent in IOS

Hello.

I think you wanted to achieve hairpinning for the ipsec remote access vpn users to access internet via vpn router..There is no direct way of doing this like we have in ASA.

Please follow the below cisco document where you can make use of nat on a stick configuration to achieve.. this

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Regards

Harish

Please rate helpful posts!

New Member

Re: nat (outside,outside) dynamic interface, equivalent in IOS

Harish,

thanks first, however, i do have a question regarding the next-hop

route-map VPN-Client permit 10
 match ip address 144
 set ip next-hop 10.11.0.2

what is 10.11.0.2?

thanks,

Han

nat (outside,outside) dynamic interface, equivalent in IOS

  Hello ,

This is just an IP under loopback interface,

When traffic comes in through outside interface, it has to go through an inside & outside Nat  in order to access internet,so what we are doing is to forcefully send the the traffic to loopback ( where we have ip nat inside configured - and it will undergo nat inside process) once it comes back to routing table then it will check the default route to go outside, ( this time nat outside process and we are good)..

Please shoot if you have any query.

regards

Harish.

Please rate all helpful posts!

New Member

nat (outside,outside) dynamic interface, equivalent in IOS

So, it is a typo, not 10.11.0.2. isn't it?

it should be like,

set ip next-hop 10.11.0.1 since the lookback is 10.11.0.1

shouldnt it?

thanks,

Han

nat (outside,outside) dynamic interface, equivalent in IOS

Hello Han,

No it is not a typo.. since the next hop ip is belongs to loopback interface, the route map will send the traffic to loopback interface ( that is ultimately we wanted router to do to imitate the inside interface.

the problem is ' for a nat to happen, the traffic has to go throug an inside and outside interface', so we are just faking the inside interface with the help of loopback !

regards

Harish

New Member

nat (outside,outside) dynamic interface, equivalent in IOS

So, you mean it sends to an ip address that is not configured in the network but belongs to the subnet of the Loopback's.
So that the traffic is "tricked" to the loop interface?

thanks,

Han

nat (outside,outside) dynamic interface, equivalent in IOS

Hello Han,

you are correct.!

Harish.

New Member

nat (outside,outside) dynamic interface, equivalent in IOS

nat (outside) 1 192.168.237.0 255.255.255.0

global (outside) 1 interface

Assuming 192.168.237.0 255.255.255.0 is the ip pool assigned to the RA vpn

nat (outside,outside) dynamic interface, equivalent in IOS

On IOS, you will need to create a pool for the dynamic interface using  "ip nat pool" command then use "ip nat outside pool ",  after that you will need to implement it on the interface. I left out  some other parameters to make it easier for you to compare the NAT on  ASA and on IOS.

1447
Views
0
Helpful
9
Replies