cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
805
Views
0
Helpful
8
Replies

site to site vpn cisco1811

donnie
Level 1
Level 1

Hi all,

Below is my site to site vpn configuration on cisco1811. It seem that nat exemption is not configured but my vpn still works. Can you advise how i can configure nat exemption. Thks in advance.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test 50 ipsec-isakmp
set peer 11.x.x.x
set security-association lifetime seconds 28800
set transform-set test
set pfs group2
match address testing
!
!
!
!
interface FastEthernet0
description :: connection to Public Internet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map hp
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description :: Local LAN subnet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0 overload
!
ip access-list extended testing
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
!
logging trap debugging
access-list 10 permit x.x.x.x
access-list 101 permit ip x.x.x.0 0.0.0.255 x.x.x.x 0.0.0.3

1 Accepted Solution

Accepted Solutions

You are absolutely correct on your understanding.

View solution in original post

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure deny statement between the site-to-site VPN LANs on ACL 101 for NAT exemption:

ip access-list extended 101

     1 deny ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255

Hi halijenn,

Is there any command for nat exemption for cisco 1800 series?

In ASA we can use "nat 0".

Thks in advance.

Yes, it would be the "deny" statement advise earlier. Just have to make sure that the "deny" access-list comes before the "permit" access-list for your NAT statement.

Hi Halijenn,

My apologies for late reply as i was away for reservist and have no access to internet. Could you explain why the deny statement would enable nat exemption? Thks in advance.

The "deny" statement will tell the router to bypass the VPN traffic (source subnet and destination subnet) from being NATed.

Here is the sample configuration on router for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

(NB: check out access-list 130 from the above sample config).

Hope that helps.

Hi Halijenn,

Thk you very much. Can i confirm if my understanding below is correct.

Hence what the below configuration does is it only does NAT when 10.2.2.0/24 try to access anywhere other than 10.1.1.0/24.

Hence when 10.2.2.0/24 try to access 10.1.1.0/24, NAT is exempted

ip nat inside source route-map nonat pool branch overload

access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130

Hence instead of using route-map, i can use accesslist as shown below right?

"ip nat inside source list 130 interface ethernet0 overload"

You are absolutely correct on your understanding.

Hi Halijenn,

Now i understand. Thk you!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: