09-28-2011 10:45 AM - edited 03-04-2019 01:45 PM
Dear all,
I'm struggeling with IPSEC with overlapping nat. VPN works perfectly, but site A can not connect to internet (site B does not need internet). I have tried route maps , but nothing seems to work.
Here is my configuration. I did not but all of it but some chuncks.
Site A
External 195.222.19.93
internal 192.168.0.0
NATed to 192.168.11.0
Site B
External 195.222.19.92
internal 192.168.0.0
NATed to 192.168.10.0
ip access-list extended VPN
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.2
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.3
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.4
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.5
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.6
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.7
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.17
permit ip 192.168.11.0 0.0.0.255 host 192.168.10.18
ip nat inside source route-map WAN interface GigabitEthernet0/0 overload
ip nat inside source route-map 3G interface Cellular0/0/0 overload
ip nat inside source route-map VPN_nat_acl interface GigabitEthernet0/0 overload
ip nat inside source static network 192.168.0.0 192.168.11.0 /24
route-map track-primary-if permit 1
match ip address 100
set interface GigabitEthernet0/0 Null0
!
route-map VPN_nat_acl permit 10
match ip address VPN_acl
ip access-list extended VPN_acl
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
route-map WAN permit 10
match ip address 1
match interface GigabitEthernet0/0
!
!
route-map 3G permit 10
match ip address 1
match interface Cellular0/0/0route-map track-primary-if permit 1
Thanks in advance!
Solved! Go to Solution.
09-28-2011 03:32 PM
So the Gig0/0 is your primary connection.
As requested earlier, can you post "show ip nat trans" after trying few pings to a public IP from the inside IP . Would like to check what is the internet traffic getting NATtd to.
Thanks.
09-28-2011 01:07 PM
Can you post what is ACL 1. Can you also post "show ip nat trans" o/p once you try to ping a public IP in intenet.
I guess the command " ip nat inside source static network 192.168.0.0 192.168.11.0 /24 " is conflicting and even NATting your internet traffic too.
Is there any other device in front of this router towards the internet.
Thanks.
09-28-2011 02:56 PM
acl 1 is
access-list 1 permit 192.168.0.0 0.0.0.255
default routes :
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 track 1
ip route 0.0.0.0 0.0.0.0 195.222.19.94
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253
In front is ISP router with IP 195.222.19.94
09-28-2011 03:32 PM
So the Gig0/0 is your primary connection.
As requested earlier, can you post "show ip nat trans" after trying few pings to a public IP from the inside IP . Would like to check what is the internet traffic getting NATtd to.
Thanks.
09-28-2011 03:48 PM
hey,
Yes that right and i found the error, i wanted to nat whole network, but with cisco 1941 you can nat only statically one IP at time.
Thanks that you took the time to look at my quesstion
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide