Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn between asa and cisco 877 router

hi,

i am trying to setup vpn between asa and cicso 877 router (in the pas i have setupo between asa and asa, pix and pix but not between asa and router)

I am confused with the nonat concept in cisco router (for vpn).  i mean why do you need a route-map and deny the traffic. could you throw some light on this ?

cisco link

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI1

Thanks

6 REPLIES
Cisco Employee

vpn between asa and cisco 877 router

Same as on ASA/PIX NAT is performed before encryption and after decryption.

How you will define traffic not to his NAT (or to hit it) is up to you, routing (VTI/GRE interface), access-list or route-map.

There is no concept of "no nat" on IOS routers.

M.

New Member

vpn between asa and cisco 877 router

!

ip nat inside source route-map nonat interface FastEthernet0 overload

!

access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 110 permit ip 10.20.10.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 110

!

or better (if you have for example the IP public 1.2.3.5)

!

ip nat pool 1.2.3.5 1.2.3.5 1.2.3.5 prefix-length 30

!

ip nat inside source list nat-to-internet pool 1.2.3.5 overload

!

ip access-list extended nat-to-internet

deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.20.10.0 0.0.0.255 any

deny   ip any any

!

New Member

vpn between asa and cisco 877 router

hi, thanks for this

what does this line do ?

ip nat inside source route-map nonat interface FastEthernet0 overload

New Member

vpn between asa and cisco 877 router

All inside hosts 10.20.10.0/24

will be NOT natted when reach

10.10.10.0/24

and will be natted with

172.17.1.1
when reach all other IP

Note: on the link

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI1

I presume there's a mistake: missing the interfaces command "ip nat inside" / "ip nat outside"

New Member

vpn between asa and cisco 877 router

what does ip nat inside" / "ip nat outside do ?

1029
Views
0
Helpful
6
Replies