We are having a Static NAT configured on 1800 router for two hosts. Viz -a.b.c.d and p.q.r.s. for Public_Addr1, and Public_addr2. With this we are able to access these hosts from internet without any problem. Currently no firewall feature is not used, so WAN to LAN access is allowed.
Next, we plant to set up a setup a site-to-site VPN for these two hosts with remote site hosts. Now if we configure this site-to-site VPN, then is there a possibility that our static NAT for these two hosts would not work from all the places? This will lead us to loosing the connectivity to those hosts except from the VPN locations.
Another problem is second location can access our hosts a.b.c.d and p.q.r.s not by these private address but some totally different private address
say a1.b1.c1.d1 and p1.q1.r1.s1. So if these hosts tries to communicate with "Other side VPN" hosts, then we need to NAT these first ( a1.b1.c1.d1, p1.q1.r1.s1 ) and then send it for encryption.
Here are the cases
Case 1. If host a.b.c.d tries to access internet --> Then source NAT it to Public_Addr1 and then send to WAN interface of router
Case 2. If host a.b.c.d tries to access "Other side VPN" host then source NAT it with a1.b1.c1.d1 and then send the packet to Encryption Process
Where it will be encrypted in tunnel mode and will be sent to the WAN link with other end VPN tunnel public address as destination address.
If , [[ a.b.c.d ( Src) --and Other_Side_VPN (Dest) ] ] ----> then NAT source address [ [ a1.b1.c1.d1 ( Src)-- and Other_Side_VPN (Dest)] ] ---
--------> then encrypt this packet ------> wrap it with ESP header to Other_end_VPN_Public address ---> WAN link.
Access-list in crypto map will have source address as a1.b1.c1.d1 and target address as "other_Side_VPN hosts".
Can it be done , do we have something like nat (0) in firewall which excludes the NAT process? But here in our case it is a two step process
Changing the soure IP to another source IP and then encrypting the packet.
the scenario is more complex for the presence of the crypto map.
However, I think the difference is that in second case using the static keyword you allow translations that starts from outside to inside:
The following example shows how to configure route map R1 to allow outside-to-inside translation for static NAT:
ip nat inside source static 10.1.1.1 10.2.2.2 route-map R1 reversible
ip access-list extended ACL-A
permit ip any 10.1.10.128 0.0.0.127
route-map R1 permit 10
match ip address ACL-A
! this is in the usage guidelines of NAT command reference
In your first configuration you use a NAT pool and not the static keyword. To see if this is true you could try to use the route-map without the static keyword combined with the NAT pool. I would expect that there are still problems when starting the ICMP from other side.
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...