Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT 0 Question?

                        Hello All,

                                    I have a 2851 Router. I am in the process of setting up a VPN. I have already created the ACL for my VPN interetsting traffic but, need to know how to disable NAT for my traffic going accross the site to site VPN?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Bronze

Re: NAT 0 Question?

Don't include that traffic on the ACL

Hall of Fame Super Bronze

Re: NAT 0 Question?

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.

NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.

Regards,

Edison

Re: NAT 0 Question?

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.

Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.

ip nat insid source route-map NAT inte s0/0

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

route-map NAT permit 5

match ip address 100

HTH,

John

HTH, John *** Please rate all useful posts ***
6 REPLIES
Hall of Fame Super Bronze

Re: NAT 0 Question?

Don't include that traffic on the ACL

New Member

Re: NAT 0 Question?

                     I don't understand?

Hall of Fame Super Bronze

Re: NAT 0 Question?

Only traffic included on the ACL will be candidate for NAT.

If you don't want some flows to be NAT'd, don't include them on the NAT ACL.

NAT 0 is FW is for NAT exception. Not needed on Cisco IOS as traffic not included on the NAT ACL has an exception by default.

Regards,

Edison

New Member

Re: NAT 0 Question?

                      Thanks Mr. Ortiz.

Re: NAT 0 Question?

In the acl that you're using for natting, deny the subnets that you're pushing across the vpn.

Suppose you have 192.168.1.0/24 and 192.168.2.0/24 on the other side. You want to nat 192.168.1.0 when it goes to the internet, but you don't want to nat across the tunnel.

ip nat insid source route-map NAT inte s0/0

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip any any

route-map NAT permit 5

match ip address 100

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: NAT 0 Question?

                     Thanks John.

195
Views
0
Helpful
6
Replies