07-13-2005 05:44 PM - edited 03-03-2019 10:01 AM
Ok, here's what I need to do. There is a site with internet access from any given ISP. A node or possibly nodes at this site need to connect to my main site via VPN and it needs to be a site-to-site and not client access. Due to overlap issues I need the node or nodes to NAT when traversing the VPN connection. These nodes also need to access the internet through their standard internet connection. So, they need to PAT to the outside interface when accessing the internet and then they need to static NAT to another address for VPN traffic. With TAC's help I was able to do this on a PIX 501 however it requires policy NAT which renders the PDM unusable. Because these remote device needs to be managed by their low-end site admins it really needs a gui. So, I am now trying to accomplish this task on a router such as a 850, 870, or 1800 running SDM.
Can anyone assist with getting this to work? And yes, I did open a TAC case, but it's been sitting for hours and no one has taken ownership of it. I have had luck with finding help on these boards in the past so I figured I would give it a shot.
Thanks all!
07-13-2005 06:54 PM
Hi,
If I understood right what you want is to do NAT based on the destination address, if that the case try using route-map with your nat.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml
HTH
07-14-2005 09:42 AM
Hello,
our problem is quite similar to this one. What we want to achieve is to redirect the http traffic to one IP address. Here is our configuration (omited):
interface FastEthernet0/0
ip address 192.168.253.3 255.255.255.240 secondary
ip address 10.10.10.124 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
!
interface Ethernet1/0
ip address 10.17.1.1 255.255.240.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip policy route-map dnat
duplex full
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.2
no ip http server
no ip http secure-server
!
ip nat pool slb-srv 192.168.253.1 192.168.253.1 prefix-length 28 type rotary
ip nat inside source list internet-clients interface FastEthernet0/0 overload
ip nat inside destination list web pool slb-srv
!
ip access-list extended internet-clients
deny tcp any any eq www
permit ip 10.17.0.0 0.0.15.255 any
ip access-list extended web
permit tcp any any eq www
no cdp run
!
end
As you can see, we want all the traffic from the ACL internet-clients to be SNAT-ed to interface FE 0/0 and all the http traffic to be DNAT-ed to ip address 192.168.253.1.
As you can imagine this didn't work for us. What we see is that it simply doesn't NAT the http packets at all. ICMP and other traffic is OK (we can ping any site), but not http, we are not able to open any site.
Would greatly appreciate any help,
Dardan
07-14-2005 02:32 PM
Hi,
Could you help me with a network drawing showing the interfaces, IP address , I am not sure if I understand your NAT requirements and IP addressing correctly.
07-14-2005 05:16 PM
07-14-2005 08:04 PM
Hi,
Though the following config wont be the best one but still it shoudl help you get going.
I just happened to look into your config and I see you are changing your destination IP address, I wonder if its a place where you wanna look again.
should you still have issues pls get the outputr for
sh ip nat translations
sh ip nat tarnsactions tcp
also a debgut output trying to ping any external web server,
Thank you
HTH
**************************************************
Interface fa0/0
IP NAT outside
Interface fa0/1
IP NAT inside
ip nat pool internet 66.1.1.1 66.1.1.1 prefix 28
ip nat pool intranet 10.3.100.200 10.3.100.207 prefix 28
ip nat inside source route-map http pool internet overload
ip nat inside source route-map traffic pool intranet
route-map http permit 10
match ip address HTTP
route-map traffic permit 10
match ip address all-traffic
ip access-list extended HTTP
permit tcp any any eq www
ip access-list extended all-traffic
deny tcp any any eq www
permit ip host 10.0.0.200 204.1.1.1 0.0.0.255
****************************************************
07-15-2005 12:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide