Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site vpn cisco1811

Hi all,

Below is my site to site vpn configuration on cisco1811. It seem that nat exemption is not configured but my vpn still works. Can you advise how i can configure nat exemption. Thks in advance.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test 50 ipsec-isakmp
set peer 11.x.x.x
set security-association lifetime seconds 28800
set transform-set test
set pfs group2
match address testing
!
!
!
!
interface FastEthernet0
description :: connection to Public Internet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map hp
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description :: Local LAN subnet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0 overload
!
ip access-list extended testing
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
!
logging trap debugging
access-list 10 permit x.x.x.x
access-list 101 permit ip x.x.x.0 0.0.0.255 x.x.x.x 0.0.0.3

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: site to site vpn cisco1811

You are absolutely correct on your understanding.

8 REPLIES
Cisco Employee

Re: site to site vpn cisco1811

You would need to configure deny statement between the site-to-site VPN LANs on ACL 101 for NAT exemption:

ip access-list extended 101

     1 deny ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255

New Member

Re: site to site vpn cisco1811

Hi halijenn,

Is there any command for nat exemption for cisco 1800 series?

In ASA we can use "nat 0".

Thks in advance.

Cisco Employee

Re: site to site vpn cisco1811

Yes, it would be the "deny" statement advise earlier. Just have to make sure that the "deny" access-list comes before the "permit" access-list for your NAT statement.

New Member

Re: site to site vpn cisco1811

Hi Halijenn,

My apologies for late reply as i was away for reservist and have no access to internet. Could you explain why the deny statement would enable nat exemption? Thks in advance.

Cisco Employee

Re: site to site vpn cisco1811

The "deny" statement will tell the router to bypass the VPN traffic (source subnet and destination subnet) from being NATed.

Here is the sample configuration on router for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

(NB: check out access-list 130 from the above sample config).

Hope that helps.

New Member

Re: site to site vpn cisco1811

Hi Halijenn,

Thk you very much. Can i confirm if my understanding below is correct.

Hence what the below configuration does is it only does NAT when 10.2.2.0/24 try to access anywhere other than 10.1.1.0/24.

Hence when 10.2.2.0/24 try to access 10.1.1.0/24, NAT is exempted

ip nat inside source route-map nonat pool branch overload

access-list 130 deny   ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130

Hence instead of using route-map, i can use accesslist as shown below right?

"ip nat inside source list 130 interface ethernet0 overload"

Cisco Employee

Re: site to site vpn cisco1811

You are absolutely correct on your understanding.

New Member

Re: site to site vpn cisco1811

Hi Halijenn,

Now i understand. Thk you!!

419
Views
0
Helpful
8
Replies
CreatePlease login to create content