cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
265
Views
0
Helpful
2
Replies

Can't access Internet and VPN tunnel without static NAT

sparker818
Level 1
Level 1

Greetings, I'm dealing with an issue on a router running IOS Version 12.4(24)T4:

The router has an IPSEC tunnel with another router (non-cisco) at another site and the tunnel is working fine.

My problem is that hosts behind this router cannot route to both hosts on the other end of the tunnel
AND outside to the Internet unless they have a static NAT.

Here's the pertinent config (public IPs changed for purpose of discussion):

ip nat pool MMPOOL 198.5.7.130 198.5.7.130 netmask 255.255.255.192
ip nat inside source list 1 pool MMPOOL overload
ip nat inside source static 10.1.1.22 198.5.7.131 route-map nonat
ip nat inside source static 10.1.1.24 198.5.7.132 route-map nonat
ip nat inside source static 10.1.1.35 198.5.7.133 route-map nonat
ip nat inside source static 10.1.1.67 198.5.7.134 route-map nonat
...

access-list 1 deny   10.1.1.22
access-list 1 deny   10.1.1.24
access-list 1 deny   10.1.1.35
access-list 1 deny   10.1.1.67
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 110 deny   ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
access-list 110 permit ip 10.1.1.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
 match ip address 110
!

My side of the tunnel is 10.1.1.0/24 and the other side of the tunnnel is 10.2.2.0/24

I had to create the "nonat" route-map and apply it the static NATs so that the NATs would not 
be applied to traffic going over the tunnel, and this works fine.  Hosts that have a static
NAT can get outside to the Internet because they are denied from the main NAT pool and are filtered
through the nonat policy map.

My problem is that hosts that do not have a static NAT (and don't need one, frankly) can either
route to the VPN tunnel or the Internet, but not both.  As is, with the configuration above,
if a host on the 10.1.1.x network that does not have a static NAT tries to access the Internet, 
that works fine but they cannot access the other side of the tunnel (10.2.2.0/24).  But if I add
the host to the access-list 1 deny then I can access the other side of the tunnel but not the Internet.

I hope I'm missing an obvious solution here but it's not occurring to me. I can't imagine this is
going to require a static NAT for every host, because that's not feasible.

Thoughts, suggestions on what I'm missing here?

Thanks!

Steve

2 Replies 2

sparker818
Level 1
Level 1

With more tinkering, I was able to get this to work:

1.  Got rid of the NAT pool:

ip nat pool MMPOOL 198.5.7.130 198.5.7.130 netmask 255.255.255.192
ip nat inside source list 1 pool MMPOOL overload

 

and replaced with;


ip nat inside source list 122 interface FastEthernet0/0 overload

 

2.  Added corresponding ACL and explicitly deny servers that have a static NAT:

access-list 122 deny ip host 10.1.1.22 any

access-list 122 deny ip host 10.1.1.24 any

access-list 122 deny ip host 10.1.1.35 any

access-list 122 deny ip host 10.1.1.67 any

access-list 122 deny ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 122 permit ip 10.1.1.0 0.0.0.255 any

 

Now, both servers with static NAT can route over the tunnel and externally, as can servers without a static NAT.


 

 

rakeshvelagala
Level 3
Level 3

Hi 

So you want all the hosts in the subnet 10.1.1.x/24 to access 10.2.2.0/24? and also Internet?

ip nat pool MMPOOL 198.5.7.130 198.5.7.130 netmask 255.255.255.0
ip nat inside source list 101 pool MMPOOL overload

access-list 101 deny ip 10.1.1.1 0.0.0.255 10.2.2.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: