Solved: Policy based static Natting - HELP

carl_townshend · ‎11-05-2015

Hi All

We have a requirement wherby we have device which needs to be accessable from the outside, so we have done a 1 to 1 static nat from our dialler interface using port number, this works fine.

However the same router have a site to site vpn connected to our HQ, We need to be able to access this same device over the vpn tunnel. however it doesnt seem to work. When we remote the static translation, it then works.

Obviously we have a no nat configured for the siste to site tunnel, but we need it to be able to work over both ways.

Is this possible ?

Jon Marshall · ‎11-05-2015

You need to use a route map with your NAT.

See this thread for details -

https://supportforums.cisco.com/discussion/12544291/ipsec-ip-nat-inside-source-static

Jon

View solution in original post

paul driver · ‎11-05-2015

Hello

We need to be able to access this same device over the vpn tunnel. however it doesnt seem to work

Not sure i understand this - isnt you Site-2 Site vpn connecting internally?

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

carl_townshend · ‎11-05-2015

Hi

Yes the site to site connects to us internally

however we have third party who also requires access to this device from the internet hence the static translation

paul driver · ‎11-05-2015

Hello Carl

As you have stated you already have created the static translation- correct?

What is the need for another one - I must be missing something apologies!

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

carl_townshend · ‎11-05-2015

Basically, it works when coming from the internet, but if I try to access the inside up over a VPN tunnel, it does not work, it's almost like the return traffic is getting natted

any ideas?

paul driver · ‎11-05-2015

Hello

are you trying via the external ip or internal

also what's your dns - do you have A records

Relating to the internal and external addressing ?

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

carl_townshend · ‎11-06-2015

ok

basically we need to access a device on the LAN behind the router, from both the internet using a static 1 to 1 NAT as below

ip nat inside source static tcp 172.16.1.1 30000 interface Dialer1 30000

This router also has a VPN to our HQ using a crypto map,

we need to be able to access the 172.16.1.1 address over the vpn also, but it fails.

If we take the ip nat static translation off, it works fine over the vpn.

how would we fix this so we can connect using both ways ?

Jon Marshall · ‎11-06-2015

I have already answered your question above.

See the link I provided.

Jon

Masoud Pourshabanian · ‎11-05-2015

Hello,

Are you using GRE tunnel for VPN or you are using crypto map on the dialer interface?

If your are using Tunnel interface, you do not need to be concern about NAT because you do not have IP NAT outside on the interface(probably), but if you use crypto map, you need to do translation based on policy. It can be done by route-map. Please explain more about your configuration.

Masoud

carl_townshend · ‎11-06-2015

All sorted, thankyou, used a route map with the deny statement.

worked a treat

mant thanks for your help

Jon Marshall · ‎11-05-2015

You need to use a route map with your NAT.

See this thread for details -

https://supportforums.cisco.com/discussion/12544291/ipsec-ip-nat-inside-source-static

Jon