Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1905
Views
0
Helpful
3
Replies

Disable NAT for VPN traffic

Go to solution
BurakOzkan
Level 1
Level 1

‎12-04-2016 04:05 AM

Hi everyone, 

I'm running into this issue I can't seem to solve. So I have a Cisco 800 series router deployed that is handling pretty much everything for a small business environment. Setup a VPN connection to one of our branches (up and running). Here is the problem though: only devices in VLAN 2 (which have a class A 10.x.x.x IP address) are allowed to make connections over the VPN. Thing is, these clients should also be able to go out on the internet, so NAT is required.

But in doing so, I can't connect to devices over the VPN because NAT takes place. What I did was:

int VLAN 2

no ip nat inside

And voila, I am able to go over the VPN and connect to our servers at the other end. But as a result I am not able to go on the internet because NAT isn't enabled in this case. What I basically want is:

enable NAT for pretty much every outgoing connection EXCEPT when the destination is a client at the other side of the VPN. What can I do to achieve this? An access-list? Another function I might be missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GRANT3779
Spotlight
Spotlight

‎12-04-2016 06:40 AM

I think all you need to do is amend your NAT ACL to deny traffic from your 800 series LAN side addresses to the remote LAN addresses. Make sure you put these entries first in the ACL. Anything matching your deny statements won't be NAT'd.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
GRANT3779
Spotlight
Spotlight

‎12-04-2016 06:40 AM

I think all you need to do is amend your NAT ACL to deny traffic from your 800 series LAN side addresses to the remote LAN addresses. Make sure you put these entries first in the ACL. Anything matching your deny statements won't be NAT'd.

0 Helpful

Go to solution
BurakOzkan
Level 1
Level 1
In response to GRANT3779

‎12-04-2016 10:26 AM

I see, so this is my current NAT/ACL config:

ip nat pool [name] [27.xx.xx.xx 27.xx.xx.xx] netmask 255.255.255.252
ip nat inside source list 100 pool [name] overload

These are my ACL's

access-list 100 permit ip any any
access-list 110 permit ip 10.xxx.xxx.224 0.0.0.15 10.xxx.xxx.0 0.0.0.7
access-list 110 permit ip 10.xxx.xxx.0 0.0.0.7 10.xxx.xxx.224 0.0.0.15

The 110 is assigned to the crypto map, the 100 group is assigned to the interface going out to my ISP (where I have a WAN IP). So I'm guessing it's ACL 100 I have to adjust like follows:

acces-list 100 should be:

deny ip 10.xxx.xxx.224 going to 10.xxx.xxx.0 (from my LAN source to the destination LAN).

permit ip any any

This won't block all traffic matching the ACL but just disable NAT, correct?

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to BurakOzkan

‎12-04-2016 11:58 AM

Yes this should achieve your requirement. Your 100 ACL is only being referenced via your NAT statement  so won't block 'all traffc' as such. Just ensure your new ACL line is before the permit ip any any line.

This is all assuming routing is good which I believe is OK reading your post.

0 Helpful
Customers Also Viewed These Support Documents