07-16-2019 09:00 AM
NAT sometimes is the bane of my existence.
I'm trying to setup a vti site-to-site vpn with cisco routers. The VPN connection comes up fine. My problem is that i'm using the same interface for internet access as well. my endpoints can reach the internet but they cant reach between branches.
routers are 4331 on denali.
all branches are on the 10.0.0.0/8 subnet
here is a sample of my config:
interface Tunnel2
ip address 192.168.250.1 255.255.255.252
no ip redirects
no ip proxy-arp
keepalive 90 3
tunnel source GigabitEthernet0/1/0
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel path-mtu-discovery
tunnel protection ipsec profile vti_profile
!
interface GigabitEthernet0/1/0
ip address X.X.X.X 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
negotiation auto
no cdp enable
ip virtual-reassembly max-fragments 16 max-reassemblies 64 timeout 5
!
ip nat inside source route-map g010nat interface GigabitEthernet0/1/0 overload
!
access-list 110 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
!
route-map g010nat permit 10
match ip address 110
match interface GigabitEthernet0/1/0
Solved! Go to Solution.
07-16-2019 01:40 PM
Hello,
with (S)VTI tunnels, you simply use static routes. Point the default route towards the outgoing interface, and the route towards the other side of the encrypted link towards the tunnel:
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1/0
ip route 10.0.0.0 255.255.255.0 Tunnel2
Make sure the other side is configured the same way.
07-16-2019 09:16 AM
You need to NAT Exception for your VPN Traffic, if not all the traffic go direct to internet.
object network obj-YY
subnet yy.yy.yy.0 255.255.255.0
object network obj-XX
subnet xx.xx.xx.0 255.255.255.0
nat (any,outside) source static obj-YY obj-YY destination static obj-XX obj-XX
07-16-2019 10:06 AM
the last command is not a cisco IOS router command. Can you please clarify?
also would not running the vpn through a route-map with an ACL not accomplish what im trying to do?
Thank you for the help!
07-16-2019 12:54 PM
Anybody with the correct way to do this on a 4331 and not an ASA?
07-16-2019 01:40 PM
Hello,
with (S)VTI tunnels, you simply use static routes. Point the default route towards the outgoing interface, and the route towards the other side of the encrypted link towards the tunnel:
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1/0
ip route 10.0.0.0 255.255.255.0 Tunnel2
Make sure the other side is configured the same way.
07-17-2019 09:06 AM
this was it as well as a misplaced access-list this resolved my NAT issue.
Thank you.
07-17-2019 06:05 AM
@Georg Pauwen provided the option for you to configure, test and advise.
07-17-2019 02:27 AM
Only for policy-based vpn's you use NAT-exemption, for route-based vpn's you must use routing protocols to reach remote sites via vti tunnel. You can use static or dynamic routing. If you must reach just a subnet, static routing is fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide