Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Client VPN Traffic to internet

Hi Guys,

I have a Cisco 2951 terminating my VPN's and I need my  VPN clients to access a public ip address but have the source address of  the router that terminates the VPN.

The VPN clients are split  tunnelled and I have added the public address to the split tunnel ACL in  order to bring it up through the tunnel but I'm sure I need to NAT it  back out from the router in some way.  I thought I needed to use "ip nat  outside...." but this only allows me to use NAT pools.

Can someone give me a pointer??

Thanks,

Neil

8 REPLIES

Re: NAT Client VPN Traffic to internet

Hi,

Normally you don't NAT the VPN traffic and that's why the VPN clients can access the internal resources with their real private addresses.

If you want the VPN client to access the server with its public address, then you NAT the server through the VPN tunnel.

i.e.

Let's say the server is 10.1.1.1 with public IP 200.1.1.1

ip nat inside source static 10.1.1.1 200.1.1.1

Then, in the split-tunneling ACL:

ip access-list extended SPLIT

   permit ip host 200.1.1.1 VPN_CLIENT_SUBNET

In this way the communication through the tunnel flows between the Public IP of the server and the VPN subnet.

Federico.

New Member

Re: NAT Client VPN Traffic to internet

Hi Federico,

The server I'm trying to access is not mine, it elsewhere on the internet.  But it only permits connections from my public ip, so I need clients who VPN into my network to go back out to this server but appear to be coming from my public ip.

Does that make sense?

THanks,

Neil

Re: NAT Client VPN Traffic to internet

In that case you need to accept all the VPN client traffic and redirect it out to the Internet (doing PAT with your public IP) before sending the traffic to the Internet.

Federico.

New Member

Re: NAT Client VPN Traffic to internet

Hi Federico,

I didn't think I needed to do that.  Because my VPN traffic is not crossing an NAT Inside interface, it's not going to get nat'd out like that.

i want to do what it is you're suggesting except only for one public ip.

On an ASA, you would just use the global nat statement with a routemap permitting the VPN client subnet to the pblic ip and that's it.

Thanks,

Neil

Re: NAT Client VPN Traffic to internet

If having an ASA you will accept the VPN client traffic on the outside interface and hairpin the traffic backout doing NAT:

nat (outside) 1 VPN_POOL

global (outside) 1 interface

On a router I believe you cannot do that.

What you can do is receive the VPN traffic on the outside interface, redirect it to a loopback to have it NATed and backout the outside interface so it will get PATed to the public IP.

Federico.

Silver

Re: NAT Client VPN Traffic to internet

This can be done on a router and here's a document that explains it:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

Chris

Re: NAT Client VPN Traffic to internet

The loopback trick will work, however Christopher's solution is even better :-)

Federico.

New Member

Re: NAT Client VPN Traffic to internet

guys - this is exactly what I needed.

Thanks for your responses

Neil

371
Views
10
Helpful
8
Replies
CreatePlease login to create content