topic Excluding one destination from nat in Network Security

Excluding one destination from nat

kyriacossakkas — Fri, 21 Feb 2020 08:29:12 GMT

CISCO 800 IOS 12.3

Hi, I have several VPNs set up between my site and the sites of asociates. The original requirements were for me to have two public IPs for this setup, ne which is a real interface (and the tunnel endpoint), and one which is used for nating my internal private adress onto, so that my internal machine can be reached by normal routing from sites which I do not have a VPN with.

My problem is that I now need to create a new VPN with a site that needs to see my private adreess through the tunnel.

So is there a way to have nating in place exept when talking with one specific peer ?

All conections will be initiated by me and directed to this peers provate IP address.

The tunnel is in place, and through ping, we know that he sees my request, but for him they apear from my second public IP, which he can not route to his internal network. Having them nat their side in order for us to talk with them from our public address is not an option (we count as client-side in this setup) .

Re: Excluding one destination from nat

bobd — Thu, 27 Oct 2005 16:29:49 GMT

The Cisco IOS allows you to use NAT exclusions through the use of ACLs. For example, if your network is 192.168.1.0 and the remote network that you do not want to NAT to is 192.168.2.0 then the commands would be:

access-list 101 deny ip 192.168.1.0 255.255.255.0 192.168.2.x 255.255.255.255 (where x is the ip of the host to exclude)

access-list 101 permit ip 192.168.1.0 255.255.255.0 any (permit for everything else)

nat inside source list 101 interface (apply NAT)

Post your config if this isn't helpful and I will take a closer look at it.

Bob

Re: Excluding one destination from nat

kyriacossakkas — Mon, 31 Oct 2005 15:53:28 GMT

Hi, got the local CISCO rep to come over, and he tried something like what you describe, but for some reason it did not work, nating kept taking place on all traffic. Here are parts of my config, which include his modifications:

interface Ethernet0

description Connection to SMSC Client Application

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip mroute-cache

no cdp enable

hold-queue 32 in

ip classless

ip route 0.0.0.0 0.0.0.0 212.xxx.xxx.209

ip route 192.168.7.17 255.255.255.255 80.xxx.xxx.xxx

no ip http server

no ip http secure-server

ip nat pool mypool 212.xxx.xxx.213 212.xxx.xxx.213 prefix-length 30

ip nat inside source list 110 pool mypool

access-list 110 deny ip host 192.168.0.10 host 192.168.7.17

access-list 110 permit ip host 192.168.0.10 any

Hope this makes sence, even with the snipping and masking.

Thanks in advance to anybody that might spot where we are going wrong.

Re: Excluding one destination from nat

bobd — Mon, 31 Oct 2005 17:26:44 GMT

If there was already a NAT translation in place when you implemented the ACL, you may need to clear the existing translations.

clear ip nat trans *

the ACL in your snip should exclude traffic coming from 192.168.0.10 to 192.168.7.17 from NAT and NAT everything else from the same host.

Looks like it shoudl work.