Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
5
Helpful
22
Replies

NAT incoming from internet but not VPN Tunnel

MikeTomasko
Level 4
Level 4

‎12-17-2006 10:01 AM - edited ‎03-03-2019 03:04 PM

I have my router setup with 2 NAT commands to forward traffic coming in on certain ports to 2 different servers based on what the port number is. I have this setup so I can VNC into the servers remotely.

ip nat inside source static tcp 172.16.0.17 5959 interface FastEthernet0/1 5959

ip nat inside source static tcp 172.16.0.16 5900 interface FastEthernet0/1 5900

My problem is now I have a VPN tunnel setup from my house to the lab router so when I'm home I'd like to be able to VNC to the servers directly through the VPN tunnel so I don't need those IPs translated when I'm on the VPN tunnel, but I do need them translated when I'm remote, but NOT on the VPN tunnel. Hope that all makes sense! Thanks!!

Labels:
0 Helpful
22 Replies 22

msubtain
Level 1
Level 1

‎12-17-2006 05:26 PM

Which router are u using?

Try Using NAT 0 statement with access-list having your home and office networks.

Muhammad

0 Helpful

MikeTomasko
Level 4
Level 4
In response to msubtain

‎12-17-2006 08:02 PM

It is a 2621XM router.

I was looking into doing it with an access-list, but it doesn't look like you can use a port number with a NAT command that uses an access-list.

0 Helpful

msubtain
Level 1
Level 1
In response to MikeTomasko

‎12-17-2006 08:06 PM

you need to define the port number and source, destination networks within access-list and then use it with NAT 0.

Muhammad

0 Helpful

MikeTomasko
Level 4
Level 4
In response to msubtain

‎12-17-2006 08:16 PM

Can you post me an example of the commands I need? Thanks.

0 Helpful

msubtain
Level 1
Level 1
In response to MikeTomasko

‎12-17-2006 08:29 PM

On VPN tunnel you should be running NAT0 for any traffic between your office and home network over the VPN tunnel

something like this

access-list nat0 permit ip officenetwork homenetwork

nat (inside) 0 access-list nat0

Muhammad

0 Helpful

MikeTomasko
Level 4
Level 4
In response to msubtain

‎12-17-2006 08:39 PM

I created the access list:

access-list 100 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0

What would my nat command be? What you gave me doesn't work. I tried ip nat inside access-list 100, but it didn't like that command. Thanks.

0 Helpful

msubtain
Level 1
Level 1
In response to MikeTomasko

‎12-17-2006 08:50 PM

Sorryy i totally ignored the device you using, anyways here is the document which should tell you exactly what to do, look at the router configuration of the docuement and modify the statements according to your situation

http://www.cisco.com/warp/public/110/39.html

Muhammad

0 Helpful

MikeTomasko
Level 4
Level 4
In response to msubtain

‎12-17-2006 08:59 PM

I already have all of that in my config. But it's the following lines that are overriding things.

ip nat inside source static tcp 172.16.0.17 5959 interface FastEthernet0/1 5959

ip nat inside source static tcp 172.16.0.16 5900 interface FastEthernet0/1 5900

So when I try and VNC to 172.16.0.16 or 172.16.0.17 I can't reach the servers because the address is being translated. As soon as I delete those lines, I can VNC to those IPs from the remote VPN site. But when I take them out, I then can't get in from the outside (cable internet) connection.

0 Helpful

msubtain
Level 1
Level 1
In response to MikeTomasko

‎12-17-2006 09:06 PM

Can you post your config

0 Helpful

MikeTomasko
Level 4
Level 4
In response to msubtain

‎12-17-2006 09:23 PM

The router and PIX IPs have been removed. There's some access-lists and route-maps in the config for some things I was try, but didn't work.

0 Helpful

MikeTomasko
Level 4
Level 4
In response to MikeTomasko

‎12-17-2006 09:26 PM

See attached.

Preview file
5 KB
0 Helpful

msubtain
Level 1
Level 1
In response to MikeTomasko

‎12-17-2006 10:05 PM

Try this, you can adjust it more according to your needs but this should solve your problem, the problem is that static nat is having preference over the dynamic,

ip nat inside source static 172.16.0.17 External IP route-map nostatic

!

access-list 161 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255

access-list 161 permit ip host 172.16.0.17 any

!

route-map nostatic permit 10

match ip address 161

let me know if solved your problem, and please rate all the posts which may have helped you

Muhammad

0 Helpful

msubtain
Level 1
Level 1
In response to MikeTomasko

‎12-17-2006 10:21 PM

Try this, you can adjust it more according to your needs but this should solve your problem, the problem is that static nat is having preference over the dynamic,

ip nat inside source static 172.16.0.17 External IP route-map nostatic

!

access-list 161 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255

access-list 161 permit ip host 172.16.0.17 any

!

route-map nostatic permit 10

match ip address 161

let me know if solved your problem, and please rate all the posts which may have helped you

Muhammad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card