03-27-2009 06:00 AM - edited 03-04-2019 04:07 AM
Hi all
I've an internet router who perform static NAT of UDP ports 500 and 4500 to the ASA behind for VPN termination pruposes.
I Need to terminate a new VPN in the internet router and i'm asking if there are some way to avoid this NAT only for certain IPs to make the internet router able to terminate the new VPN and still performing NAT for maintain the rest of VPN termination in ASA.
Thank you so much
Miquel
03-27-2009 06:21 AM
Hi, Miguel:
You can create a route map that is associated with an ACL and perform the NAT function based on the route map.
In this example, only traffic from these 2 networks will be NAT'ed.
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
route-map NAT permit 10
match ip address 1
ip nat pool NAT_POOL 131.118.2.1 131.118.2.254 prefix-length 24
ip nat inside source route-map NAT pool NAT_POOL
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
HTH
Victor
03-27-2009 06:27 AM
Do you only have one public ip address at the wan interface on the internet router?
Are you doing site to site VPN or IPSec VPN on the ASA?
Are you going to do site to site VPN or IPSec VPN on the internet router?
I need more information. Route-map may helps you to identify the source originating traffic.
Toshi
03-27-2009 06:31 AM
Toshi:
He probably does, or a very small subnet.
My example was meant to teach him about the route map and NAT exclusion option, not so much the basic NAT pool stuff. He says he already has connections going on, so I am sure he knows that part.
03-27-2009 06:34 AM
Victor,
Thanks for the information. I'm waiting for which the way I can help.
BTW, How are you doing today?
Toshi
03-27-2009 08:22 AM
Im doing very well, Toshi. Thanks for asking. :-)
03-27-2009 06:43 AM
Thanks Victor.
I need just the opposite.
I need to do NAT por all IP's except one. Note that there are VPN Clients comming from everywhere.
Toshi, thank you
Yes, unfortunately i have only une public IP address
03-27-2009 06:47 AM
Toshi, here comes the other answers
Are you doing site to site VPN or IPSec VPN on the ASA?
IPSec VPN
Are you going to do site to site VPN or IPSec VPN on the internet router?
IPSec VPN
03-27-2009 06:51 AM
Miquel,
Okay! You only have just one public ip address.
Can you change the configuration on the ASA to use TCP/10000 to do IPSec VPN(isakmp-over-tcp)? I have to tell users "Please change this parameter". (grin)
I can now use udp/500 and udp/4500 for the internet router.
BTW,How are you doing?
HTH,
Toshi
03-27-2009 08:21 AM
Miguel:
Como estas?
Es mas o menos la misma cosa.
This time the ACL will be inverted.
access-list 1 deny 10.10.10.0 0.0.0.255
access-list 1 permit any
The first line denies the traffic you dont want to NAT.
The second allows NATing on everything else. Remember, you DO need the permit ip any any because of the implicit "deny" at the end of all ACLs.
HTH
Victor
03-27-2009 08:39 AM
Victor,
I'm not 100% sure that we are in same page. As poster stated, Users out there will connect to the internet router by using the public ip address. Then the router will do static NAT with udp/500 and udp/4500 to the ASA to do IPSec VPN.
The requirement is that he wants to have 2 VPN terminators. The another one is the internet router. And he has got just one public ip address.
To poster, If I missed something please clarify.
HTH,
Toshi
03-30-2009 12:18 AM
Hi guys
My costumer will provide me with another public ip address to do this this, therefore all right.
Thanks a lot
Miquel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: