03-04-2004 03:02 PM - edited 03-09-2019 06:38 AM
We have a 1710 router that exists behind NAT. We don't want this router to perform NAT at all (our edge router performs NAT for us). We also have an EZVPN originating from this router to a remote router on the internet. Whenever the EZVPN renegotiates its SA, NAT gets enabled on the client router and we have to manually enter the commands:
conf t
interface ethernet 0
no ip nat outside
exit
interface fastethernet 0
no ip nat inside
exit
exit
clear ip nat translations forced
To clear all the translations. This lasts until the next time the VPN reconnects or the SA gets renegotiated.
The EZVPN is in 'network extension' mode.
Any ideas?
Thanks
03-10-2004 09:33 AM
I'm afraid your question is not too clear. The documentation for the Cisco Easy VPN Remote Feature might help. It is located at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122ya/122ya4/ftezvpcm.htm. Hope this helps.
03-10-2004 05:50 PM
Thanks for your reply but the documentation here says that NAT gets enabled if the EZVPN is in client mode but our EZVPN is in network extension mode. There is nothing in our config that mentions enabling NAT - we don't want this router to perform NAT but it gets enabled every time the EZVPN reconnects.
The config is:
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname CHC4-RTR1
!
logging queue-limit 100
logging buffered 51200 debugging
!
memory-size iomem 25
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa authorization network xxx local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip tcp synwait-time 10
ip domain name xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
crypto ipsec security-association lifetime seconds 86400
!
!
!
!
crypto ipsec client ezvpn CentralNode
connect auto
group tmvpn key xxxxxxxxxxxxxx
mode network-extension
peer xxx.xxx.xxx.xxx
!
!
!
!
!
interface Loopback0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Ethernet0
description DMZ Interface
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip route-cache flow
ip tcp adjust-mss 1375
full-duplex
crypto ipsec client ezvpn CentralNode
!
interface FastEthernet0
description Internal Interface
ip address xxx.xxx.xxx.xxx 255.255.0.0
ip route-cache flow
ip tcp adjust-mss 1375
speed 100
full-duplex
crypto ipsec client ezvpn CentralNode inside
!
ip nat Stateful id 1
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0 xxx.xxx.xxx.xxx permanent
ip http server
ip http authentication local
ip http secure-server
!
dialer-list 1 protocol ip permit
!
radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646
radius-server retransmit 2
radius-server authorization permit missing Service-Type
banner motd ^CWelcome^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
03-10-2004 08:02 PM
I'm having just the opposite problem. I have a cisco 831 router set up @ home (connecting to a vpn 3060 at the corporate office) - I want to be able to have certain IP's on the local subnet tunnel back to the office (which works by default with my ezvpn configuration - where all traffic tunnels back to corporate) - and the rest of the hosts NAT (straight out to the internet locally - not accessing corporate resources) The configuration is pretty simple - and works.. however - everytime the tunnel goes down and back up, my ip nat inside and ip nat outside statements are REMOVED (opposite what you describe). When I enable the commands again "ip nat inside and ip nat outside" I get an error message about CNBAR... TAC has not been able to help me thus far - anybody know what CNBAR is / point me to some documentation?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide