cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
816
Views
0
Helpful
7
Replies

Need help with VPN NAT issue

fizgriz
Level 1
Level 1

NAT sometimes is the bane of my existence.

 

I'm trying to setup a vti site-to-site vpn with cisco routers. The VPN connection comes up fine. My problem is that i'm using the same interface for internet access as well. my endpoints can reach the internet but they cant reach between branches.

 

routers are 4331 on denali.

all branches are on the 10.0.0.0/8 subnet

 

here is a sample of my config:

 

interface Tunnel2

ip address 192.168.250.1 255.255.255.252

no ip redirects

no ip proxy-arp

keepalive 90 3

tunnel source GigabitEthernet0/1/0

tunnel mode ipsec ipv4

tunnel destination X.X.X.X

tunnel path-mtu-discovery

tunnel protection ipsec profile vti_profile

!

interface GigabitEthernet0/1/0

ip address X.X.X.X 255.255.255.248

no ip redirects

no ip proxy-arp

ip nat outside

negotiation auto

no cdp enable

ip virtual-reassembly max-fragments 16 max-reassemblies 64 timeout 5

!

ip nat inside source route-map g010nat interface GigabitEthernet0/1/0 overload

!

access-list 110 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

access-list 110 permit ip 10.0.0.0 0.255.255.255 any

!

route-map g010nat permit 10

match ip address 110

match interface GigabitEthernet0/1/0

1 Accepted Solution

Accepted Solutions

Hello,

 

with (S)VTI  tunnels, you simply use static routes. Point the default route towards the outgoing interface, and the route towards the other side of the encrypted link towards the tunnel:

 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1/0

ip route 10.0.0.0 255.255.255.0 Tunnel2

 

Make sure the other side is configured the same way.

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

You need to NAT Exception for your VPN Traffic, if not all the traffic go direct to internet.

 

object network obj-YY
subnet yy.yy.yy.0 255.255.255.0

object network obj-XX
subnet xx.xx.xx.0 255.255.255.0

nat (any,outside) source static obj-YY obj-YY destination static obj-XX obj-XX

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

the last command is not a cisco IOS router command. Can you please clarify?

 

also would not running the vpn through a route-map with an ACL not accomplish what im trying to do?

 

Thank you for the help!

Anybody with the correct way to do this on a 4331 and not an ASA?

Hello,

 

with (S)VTI  tunnels, you simply use static routes. Point the default route towards the outgoing interface, and the route towards the other side of the encrypted link towards the tunnel:

 

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1/0

ip route 10.0.0.0 255.255.255.0 Tunnel2

 

Make sure the other side is configured the same way.

this was it as well as a misplaced access-list this resolved my NAT issue.

 

Thank you.

@Georg Pauwen  provided the option for you to configure, test and advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

curdubanbogdan
Level 1
Level 1

Only for policy-based vpn's you use NAT-exemption, for route-based vpn's you must use routing protocols to reach remote sites via vti tunnel. You can use static or dynamic routing. If you must reach just a subnet, static routing is fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco