10-04-2005 08:11 AM - edited 03-09-2019 12:36 PM
hi,
I'm trying to configure router-to-router ipsec tunnel but i don't understant what mean the command :
"route-map nonat permit 10"
Can somebody explain it to me clearly ?
Regars
Solved! Go to Solution.
10-04-2005 08:21 AM
It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address
10-04-2005 08:31 AM
vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.
e.g.
interface Ethernet0
ip address
ip nat inside
interface Dialer0
ip address
ip nat outside
when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.
access-list 101 deny ip
access-list 101 permit ip
ip nat inside source route-map nonat interface Dialer0 overload
route-map nonat permit 10
match ip address 101
with the sample above,
"access-list 101 deny ip
"access-list 101 permit ip
"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat
"route-map nonat permit 10
match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.
10-04-2005 08:21 AM
It is there so that if you performing split-tunneling this is saying do not nat out to the internet access-list that you define. You would need to follow this command with a "match ip address
10-04-2005 08:31 AM
vpn router is very common acting as the internet router. with internet router, normally you would nat the lan to a public ip for accessing the internet.
e.g.
interface Ethernet0
ip address
ip nat inside
interface Dialer0
ip address
ip nat outside
when configuring lan-lan vpn, since the vpn is a secure connection between 2 private net, thus the router shouldn't nat/pat any traffic that destinated at the remote peer private net. in order to configure this, you need the commands below.
access-list 101 deny ip
access-list 101 permit ip
ip nat inside source route-map nonat interface Dialer0 overload
route-map nonat permit 10
match ip address 101
with the sample above,
"access-list 101 deny ip
"access-list 101 permit ip
"ip nat inside source route-map nonat interface Dialer0 overload" maps the route-map nonat to the interface dialer0 for pat
"route-map nonat permit 10
match ip address 101" maps the acl 101 to the route-map nonat, which in turns maps to the dialer0 interface for pat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide