cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2082
Views
0
Helpful
11
Replies

Static NAT bypass

msantiveri
Level 1
Level 1

Hi all

I've an internet router who perform static NAT of UDP ports 500 and 4500 to the ASA behind for VPN termination pruposes.

I Need to terminate a new VPN in the internet router and i'm asking if there are some way to avoid this NAT only for certain IPs to make the internet router able to terminate the new VPN and still performing NAT for maintain the rest of VPN termination in ASA.

Thank you so much

Miquel

11 Replies 11

lamav
Level 8
Level 8

Hi, Miguel:

You can create a route map that is associated with an ACL and perform the NAT function based on the route map.

In this example, only traffic from these 2 networks will be NAT'ed.

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 10.10.11.0 0.0.0.255

route-map NAT permit 10

match ip address 1

ip nat pool NAT_POOL 131.118.2.1 131.118.2.254 prefix-length 24

ip nat inside source route-map NAT pool NAT_POOL

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

HTH

Victor

Do you only have one public ip address at the wan interface on the internet router?

Are you doing site to site VPN or IPSec VPN on the ASA?

Are you going to do site to site VPN or IPSec VPN on the internet router?

I need more information. Route-map may helps you to identify the source originating traffic.

Toshi

Toshi:

He probably does, or a very small subnet.

My example was meant to teach him about the route map and NAT exclusion option, not so much the basic NAT pool stuff. He says he already has connections going on, so I am sure he knows that part.

Victor,

Thanks for the information. I'm waiting for which the way I can help.

BTW, How are you doing today?

Toshi

Im doing very well, Toshi. Thanks for asking. :-)

Thanks Victor.

I need just the opposite.

I need to do NAT por all IP's except one. Note that there are VPN Clients comming from everywhere.

Toshi, thank you

Yes, unfortunately i have only une public IP address

Toshi, here comes the other answers

Are you doing site to site VPN or IPSec VPN on the ASA?

IPSec VPN

Are you going to do site to site VPN or IPSec VPN on the internet router?

IPSec VPN

Miquel,

Okay! You only have just one public ip address.

Can you change the configuration on the ASA to use TCP/10000 to do IPSec VPN(isakmp-over-tcp)? I have to tell users "Please change this parameter". (grin)

I can now use udp/500 and udp/4500 for the internet router.

BTW,How are you doing?

HTH,

Toshi

Miguel:

Como estas?

Es mas o menos la misma cosa.

This time the ACL will be inverted.

access-list 1 deny 10.10.10.0 0.0.0.255

access-list 1 permit any

The first line denies the traffic you dont want to NAT.

The second allows NATing on everything else. Remember, you DO need the permit ip any any because of the implicit "deny" at the end of all ACLs.

HTH

Victor

Victor,

I'm not 100% sure that we are in same page. As poster stated, Users out there will connect to the internet router by using the public ip address. Then the router will do static NAT with udp/500 and udp/4500 to the ASA to do IPSec VPN.

The requirement is that he wants to have 2 VPN terminators. The another one is the internet router. And he has got just one public ip address.

To poster, If I missed something please clarify.

HTH,

Toshi

Hi guys

My costumer will provide me with another public ip address to do this this, therefore all right.

Thanks a lot

Miquel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco