cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6909
Views
0
Helpful
38
Replies

Bypass the IP NAT for VPN Users

abdussamedpkpk
Level 1
Level 1

Hi,

I have configured ip nat on Cisco 6153 switch and it is working fine. But I need to bypass the ip nat configuration for VPN users.

eg: 192.168.1.1 is NATed to a global IP address, the ip nat working fine but the same server I need to connect for the VPN users also.

38 Replies 38

Jon Marshall
Hall of Fame
Hall of Fame

abdussamedpkpk wrote:

Hi,

I have configured ip nat on Cisco 6153 switch and it is working fine. But I need to bypass the ip nat configuration for VPN users.

eg: 192.168.1.1 is NATed to a global IP address, the ip nat working fine but the same server I need to connect for the VPN users also.

Abdu

You need to be specific in your access-list that defines the NAT eg.

access-list 101 permit ip any any

ip nat inside source list 101 interface vlan10 overload

the above would translate all traffic coming in on an interface with "ip nat inside" to the vlan10 interface address. If you wanted to exclude for example 192.168.1.1 if it was going to a particular subnet ie. your VPN users -

access-list 101 deny ip host 192.168.1.1 192.168.10.0 0.0.0.255  <--- 192.168.10.0/24 is your VPN user subnet

access-list 101 permit ip any any

ip nat inside source list 101 interface vlan10 overload

so basically you need to "deny" the traffic you do not want to be natted before you do any permits.

Jon

abdussamedpkpk
Level 1
Level 1

Thanks for the reply. Actually I need to connect the server for both VPN and Public. Is it possible or not?

abdussamedpkpk wrote:

Thanks for the reply. Actually I need to connect the server for both VPN and Public. Is it possible or not?

So it's a static NAT you are trying to do this for ? If so you can use route-maps with static translations -

Static NAT with route-maps

Unfortunately i don't believe it is supported on the 6500 but don't have a 6500 to test with so it may be worth trying.

Jon

It didn't work. Thanks Mr.John

Dear Samad ,

I think that this issue is common with static NAT .

always when there is one to one NAT it will take the preference . One option is let the remote users connect to this server using public IP only and another option is do route-map for static NAT , in that u will deny the local traffic from NAT and NAT everything else

Could you please post your config .

Regards

Haris P

Please see the below configuration for ip nat.

ip nat inside source static tcp 172.168.20.1 829 200.200.20.20 829

Hi Adbu,

We faced the similar problem.

What we did is to use route-map as a condition in NAT statement.

Here is what we did :

your server : 10.10.1.1

VPN tunnel other end server : 192.168.1.1

so you dont want to NAT when 10.10.1.1 communicated with 192.168.1.1

access-list 101 deny ip host 10.10.1.1 host 192.168.1.1

access-list 101 permit ip any any

accedss-list 102 permit ip host 10.10.1.1 host 192.168.1.1

route-map internet

match ip address 101

ip nat inside source static 10.10.1.1 Public_IP_Address route-map internet

This will NAT the traffic as per access-list 101. Which denies traffic destined to 192.168.1.1 from 10.10.1.1.

Use access-list 102 for crypto map to denifne the traffic that is to be encrypted.

It worked on 1841..

hope it works for you also

rate if it helps.

Thanks

Subodh

Hi,

Thanks for the detailed support. I think I have the lower version to support the ip nat inside source static 10.10.1.1 Public_IP_Address route-map command. My IOS version is 12.2(18)SXF14. Does this version support this command? Please advice me.

Thanx

Abdu

Hi, Subodh

Sorry for the late reply. I want to know, How or where do you applied both 101 and 102 access-list to the interface. In my case both vpn and internet traffic is terminating on the same interface.

access-list 101 is for nat only and access-list 102 for permitting vpn traffic

you don't need to apply this ACL on interface

and another thing your IOS will support this commands

Regards

Haris P

The access-list is supported, I ment the route-map for ip nat is not supported on 12.2 version. I tried this scenario but it doesen't work. Thats why I doubted that it has to apply to an interface.

Thanks&Regards,

Abdussamad

I meant the that the route-map with static ip nat is not supported with IOS 12.2. I tried this scenario but it doesn't work. That's why I doubted that it has to apply to an Interface.

Thanks&Regards,

Abdussamad

Hi Abdu,


You can try use route-map bypass NAT.


1,Create a dummy interface and set a un-routeable ip and not used in your network like

interface lo100

ip add 172.16.1.1 255.255.255.0

2, create a route-map

route-map PBR

match ip address PBR

set ip next-hop 172.16.1.2

ip access ex PBR

per ip host 192.168.1.1 vpn_subnet

3, apply the PBR on NAT inside interface

int x/x

ip policy route-map PBR

HTH,

Lei Tian

could you please elaborate it, like what is the ip in 192.X.X.X subnet

Review Cisco Networking for a $25 gift card