Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

NAT incoming from internet but not VPN Tunnel

I have my router setup with 2 NAT commands to forward traffic coming in on certain ports to 2 different servers based on what the port number is. I have this setup so I can VNC into the servers remotely.

ip nat inside source static tcp 172.16.0.17 5959 interface FastEthernet0/1 5959

ip nat inside source static tcp 172.16.0.16 5900 interface FastEthernet0/1 5900

My problem is now I have a VPN tunnel setup from my house to the lab router so when I'm home I'd like to be able to VNC to the servers directly through the VPN tunnel so I don't need those IPs translated when I'm on the VPN tunnel, but I do need them translated when I'm remote, but NOT on the VPN tunnel. Hope that all makes sense! Thanks!!

22 REPLIES
New Member

Re: NAT incoming from internet but not VPN Tunnel

Which router are u using?

Try Using NAT 0 statement with access-list having your home and office networks.

Muhammad

Bronze

Re: NAT incoming from internet but not VPN Tunnel

It is a 2621XM router.

I was looking into doing it with an access-list, but it doesn't look like you can use a port number with a NAT command that uses an access-list.

New Member

Re: NAT incoming from internet but not VPN Tunnel

you need to define the port number and source, destination networks within access-list and then use it with NAT 0.

Muhammad

Bronze

Re: NAT incoming from internet but not VPN Tunnel

Can you post me an example of the commands I need? Thanks.

New Member

Re: NAT incoming from internet but not VPN Tunnel

On VPN tunnel you should be running NAT0 for any traffic between your office and home network over the VPN tunnel

something like this

access-list nat0 permit ip officenetwork homenetwork

nat (inside) 0 access-list nat0

Muhammad

Bronze

Re: NAT incoming from internet but not VPN Tunnel

I created the access list:

access-list 100 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0

What would my nat command be? What you gave me doesn't work. I tried ip nat inside access-list 100, but it didn't like that command. Thanks.

New Member

Re: NAT incoming from internet but not VPN Tunnel

Sorryy i totally ignored the device you using, anyways here is the document which should tell you exactly what to do, look at the router configuration of the docuement and modify the statements according to your situation

http://www.cisco.com/warp/public/110/39.html

Muhammad

Bronze

Re: NAT incoming from internet but not VPN Tunnel

I already have all of that in my config. But it's the following lines that are overriding things.

ip nat inside source static tcp 172.16.0.17 5959 interface FastEthernet0/1 5959

ip nat inside source static tcp 172.16.0.16 5900 interface FastEthernet0/1 5900

So when I try and VNC to 172.16.0.16 or 172.16.0.17 I can't reach the servers because the address is being translated. As soon as I delete those lines, I can VNC to those IPs from the remote VPN site. But when I take them out, I then can't get in from the outside (cable internet) connection.

New Member

Re: NAT incoming from internet but not VPN Tunnel

Can you post your config

New Member

Re: NAT incoming from internet but not VPN Tunnel

Bronze

Re: NAT incoming from internet but not VPN Tunnel

The router and PIX IPs have been removed. There's some access-lists and route-maps in the config for some things I was try, but didn't work.

Bronze

Re: NAT incoming from internet but not VPN Tunnel

See attached.

New Member

Re: NAT incoming from internet but not VPN Tunnel

Try this, you can adjust it more according to your needs but this should solve your problem, the problem is that static nat is having preference over the dynamic,

ip nat inside source static 172.16.0.17 External IP route-map nostatic

!

access-list 161 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255

access-list 161 permit ip host 172.16.0.17 any

!

route-map nostatic permit 10

match ip address 161

let me know if solved your problem, and please rate all the posts which may have helped you

Muhammad

New Member

Re: NAT incoming from internet but not VPN Tunnel

Try this, you can adjust it more according to your needs but this should solve your problem, the problem is that static nat is having preference over the dynamic,

ip nat inside source static 172.16.0.17 External IP route-map nostatic

!

access-list 161 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255

access-list 161 permit ip host 172.16.0.17 any

!

route-map nostatic permit 10

match ip address 161

let me know if solved your problem, and please rate all the posts which may have helped you

Muhammad

New Member

Re: NAT incoming from internet but not VPN Tunnel

Hi Mike,

How did you go with that config?

Here is the document which exactly addresses your situation,

Have a look

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml#intro

rate all helping posts

Muhammad

Bronze

Re: NAT incoming from internet but not VPN Tunnel

I'm still having no luck. Any more ideas or sample configs to try? I went with that config because I needed to use the static TCP routes to re-route traffic coming in on port 5900 to one inside server and traffic coming in on port 5959 to another server. That was before I had the site to site VPN. Now I'd like to be able to connect to the servers from anywhere using the translation on FA0/1 and from the VPN. But with my current config, it won't allow me to go directly to the server when I'm on the site VPN. Just can connect through the outside internet IP.

New Member

Re: NAT incoming from internet but not VPN Tunnel

Did you try Static nat statement with route map having appropriate entries? go through that link i sent you in my last post it should resolve your problem.

Bronze

Re: NAT incoming from internet but not VPN Tunnel

I'm still new to this and learning the hard way. Can you post the config you want me to try? I posted my whole config last night so you can get my ip schem....etc from there. Thanks.

New Member

Re: NAT incoming from internet but not VPN Tunnel

Have a look and add it into your config, it can be summerised further once you understand it.

ip nat inside source static tcp 172.16.0.17 5959 Ext IP address 5959 route-map static1

ip nat inside source static tcp 172.16.0.16 5900 Ext IP address 5900 route-map static2

access-list 131 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255

access-list 131 permit ip host 172.16.0.17 any

access-list 132 deny ip host 172.16.0.16 172.16.1.0 0.0.0.255

access-list 132 permit ip host 172.16.0.16 any

route-map static1 permit 10

match ip address 131

route-map static2 permit 10

match ip address 132

Bronze

Re: NAT incoming from internet but not VPN Tunnel

I'll have to do some more testing, but I think you got it! Thanks SO much!!

Could you give me a quick explination on the changes?

Also, my External IP is dynamic. All though I haven't seen it change yet, it's bound to change sometime. Is there any way to write the NAT command so it updates when the External IP changes? That's why I was tying my NAT command to the interface before. I haven't found a way yet to tie a NAT command to an interface nad a route-map. Thanks!

Bronze

Re: NAT incoming from internet but not VPN Tunnel

Anyone have any ideas or am I gonna have to just update my NAT statment if/when my IP changes from my ISP? Thanks!

Bronze

Re: NAT incoming from internet but not VPN Tunnel

I'm guessing there's no way to do this since nobody has replied? Thanks!

207
Views
5
Helpful
22
Replies