cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2015
Views
0
Helpful
3
Replies

Disable NAT for VPN traffic

BurakOzkan
Level 1
Level 1

Hi everyone, 

I'm running into this issue I can't seem to solve. So I have a Cisco 800 series router deployed that is handling pretty much everything for a small business environment. Setup a VPN connection to one of our branches (up and running). Here is the problem though: only devices in VLAN 2 (which have a class A 10.x.x.x IP address) are allowed to make connections over the VPN. Thing is, these clients should also be able to go out on the internet, so NAT is required.

But in doing so, I can't connect to devices over the VPN because NAT takes place. What I did was:

int VLAN 2

no ip nat inside

And voila, I am able to go over the VPN and connect to our servers at the other end. But as a result I am not able to go on the internet because NAT isn't enabled in this case. What I basically want is:

enable NAT for pretty much every outgoing connection EXCEPT when the destination is a client at the other side of the VPN. What can I do to achieve this? An access-list? Another function I might be missing?

1 Accepted Solution

Accepted Solutions

GRANT3779
Spotlight
Spotlight

I think all you need to do is amend your NAT ACL to deny traffic from your 800 series LAN side addresses to the remote LAN addresses. Make sure you put these entries first in the ACL. Anything matching your deny statements won't be NAT'd.

View solution in original post

3 Replies 3

GRANT3779
Spotlight
Spotlight

I think all you need to do is amend your NAT ACL to deny traffic from your 800 series LAN side addresses to the remote LAN addresses. Make sure you put these entries first in the ACL. Anything matching your deny statements won't be NAT'd.

I see, so this is my current NAT/ACL config:

ip nat pool [name] [27.xx.xx.xx 27.xx.xx.xx] netmask 255.255.255.252
ip nat inside source list 100 pool [name] overload

These are my ACL's

access-list 100 permit ip any any
access-list 110 permit ip 10.xxx.xxx.224 0.0.0.15 10.xxx.xxx.0 0.0.0.7
access-list 110 permit ip 10.xxx.xxx.0 0.0.0.7 10.xxx.xxx.224 0.0.0.15

The 110 is assigned to the crypto map, the 100 group is assigned to the interface going out to my ISP (where I have a WAN IP). So I'm guessing it's ACL 100 I have to adjust like follows:

acces-list 100 should be:

deny ip 10.xxx.xxx.224 going to 10.xxx.xxx.0 (from my LAN source to the destination LAN).

permit ip any any

This won't block all traffic matching the ACL but just disable NAT, correct?

Yes this should achieve your requirement. Your 100 ACL is only being referenced via your NAT statement  so won't block 'all traffc' as such. Just ensure your new ACL line is before the permit ip any any line.

This is all assuming routing is good which I believe is OK reading your post.