Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Understanding NAT translation with route-map

Hi

I am trying to configure EZVPN server on ASA and EZVPN client on 881 router. I found on the documentation to do NAT translation on the client side

My confusion is that why I have to use the deny statement on the access-list? If anybody can explain this, will appreciate on this.

ip nat inside source route-map EzVPN1 interface FastEthernet4 overload


access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 any


route-map EzVPN1 permit 1
match ip address 103

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Understanding NAT translation with route-map

Hi,

So here goes the explanation for having the "deny" statement on the ACL for NATing.

Based on the below config, 192.168.3.x is the network behind your 881 and 192.168.2.x is the network behind the ASA.Let's asume you are trying to connect from 192.168.3.10 to 192.168.2.10. When this packet comes to the 881, it first checks the ingress features on the incoming interface (like ACL, policy, service-policy, etc.) and before checking the "IPSEC SAs" it checks the NAT configuration.

Now your IPSec SA will specify that traffic from 192.168.3.x destined to 192.168.2.x should be encrypted and then sent out. If we do not have the "deny" statement in the ACL, the 881 will NAT the incoming packets and then the source IP address in the packet will get modified the IP of the Fa4 interface.

This will no longer match the IPSEC SA configuration and hence will not get encrypted. Hence, we need to have the "deny" statements so that VPN traffic does not get NATed and hence flows through properly.

Hope this helps!!

2 REPLIES
Cisco Employee

Re: Understanding NAT translation with route-map

Hi,

So here goes the explanation for having the "deny" statement on the ACL for NATing.

Based on the below config, 192.168.3.x is the network behind your 881 and 192.168.2.x is the network behind the ASA.Let's asume you are trying to connect from 192.168.3.10 to 192.168.2.10. When this packet comes to the 881, it first checks the ingress features on the incoming interface (like ACL, policy, service-policy, etc.) and before checking the "IPSEC SAs" it checks the NAT configuration.

Now your IPSec SA will specify that traffic from 192.168.3.x destined to 192.168.2.x should be encrypted and then sent out. If we do not have the "deny" statement in the ACL, the 881 will NAT the incoming packets and then the source IP address in the packet will get modified the IP of the Fa4 interface.

This will no longer match the IPSEC SA configuration and hence will not get encrypted. Hence, we need to have the "deny" statements so that VPN traffic does not get NATed and hence flows through properly.

Hope this helps!!

New Member

Re: Understanding NAT translation with route-map

Thank you for your explanation.

528
Views
10
Helpful
2
Replies
CreatePlease login to create content