12-17-2006 10:01 AM - edited 03-03-2019 03:04 PM
I have my router setup with 2 NAT commands to forward traffic coming in on certain ports to 2 different servers based on what the port number is. I have this setup so I can VNC into the servers remotely.
ip nat inside source static tcp 172.16.0.17 5959 interface FastEthernet0/1 5959
ip nat inside source static tcp 172.16.0.16 5900 interface FastEthernet0/1 5900
My problem is now I have a VPN tunnel setup from my house to the lab router so when I'm home I'd like to be able to VNC to the servers directly through the VPN tunnel so I don't need those IPs translated when I'm on the VPN tunnel, but I do need them translated when I'm remote, but NOT on the VPN tunnel. Hope that all makes sense! Thanks!!
12-17-2006 05:26 PM
Which router are u using?
Try Using NAT 0 statement with access-list having your home and office networks.
Muhammad
12-17-2006 08:02 PM
It is a 2621XM router.
I was looking into doing it with an access-list, but it doesn't look like you can use a port number with a NAT command that uses an access-list.
12-17-2006 08:06 PM
you need to define the port number and source, destination networks within access-list and then use it with NAT 0.
Muhammad
12-17-2006 08:16 PM
Can you post me an example of the commands I need? Thanks.
12-17-2006 08:29 PM
On VPN tunnel you should be running NAT0 for any traffic between your office and home network over the VPN tunnel
something like this
access-list nat0 permit ip officenetwork homenetwork
nat (inside) 0 access-list nat0
Muhammad
12-17-2006 08:39 PM
I created the access list:
access-list 100 permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0
What would my nat command be? What you gave me doesn't work. I tried ip nat inside access-list 100, but it didn't like that command. Thanks.
12-17-2006 08:50 PM
Sorryy i totally ignored the device you using, anyways here is the document which should tell you exactly what to do, look at the router configuration of the docuement and modify the statements according to your situation
http://www.cisco.com/warp/public/110/39.html
Muhammad
12-17-2006 08:59 PM
I already have all of that in my config. But it's the following lines that are overriding things.
ip nat inside source static tcp 172.16.0.17 5959 interface FastEthernet0/1 5959
ip nat inside source static tcp 172.16.0.16 5900 interface FastEthernet0/1 5900
So when I try and VNC to 172.16.0.16 or 172.16.0.17 I can't reach the servers because the address is being translated. As soon as I delete those lines, I can VNC to those IPs from the remote VPN site. But when I take them out, I then can't get in from the outside (cable internet) connection.
12-17-2006 09:06 PM
Can you post your config
12-17-2006 09:17 PM
Have a look at this one,
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa17
Muhammad
12-17-2006 09:23 PM
The router and PIX IPs have been removed. There's some access-lists and route-maps in the config for some things I was try, but didn't work.
12-17-2006 09:26 PM
12-17-2006 10:05 PM
Try this, you can adjust it more according to your needs but this should solve your problem, the problem is that static nat is having preference over the dynamic,
ip nat inside source static 172.16.0.17 External IP route-map nostatic
!
access-list 161 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255
access-list 161 permit ip host 172.16.0.17 any
!
route-map nostatic permit 10
match ip address 161
let me know if solved your problem, and please rate all the posts which may have helped you
Muhammad
12-17-2006 10:21 PM
Try this, you can adjust it more according to your needs but this should solve your problem, the problem is that static nat is having preference over the dynamic,
ip nat inside source static 172.16.0.17 External IP route-map nostatic
!
access-list 161 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255
access-list 161 permit ip host 172.16.0.17 any
!
route-map nostatic permit 10
match ip address 161
let me know if solved your problem, and please rate all the posts which may have helped you
Muhammad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide