09-15-2011 04:17 AM - edited 03-04-2019 01:37 PM
Hi Dears.
I configurated ipsec remote vpn at catalyst 6500.
192.168.14.0/24-- my servers are assigned this subnet
vpn user:10.10.10.0/24
192.168.10.229 ---- webserver ip address
ip access-list extended NAT
deny ip 192.168.14.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.14.0 0.0.0.255 any
ip nat inside source list NAT pool Internet overload
ok this normal configuration and when i connect to ipsec vpn the connection is ok.
i have one webserver and i do static nat translation:
ip nat inside source static tcp 192.168.14.229 8881 79.x.x.x 80 extendable
ip nat inside source static tcp 192.168.14.229 8881 79.x.x.x 8881
the static nat is working and any user can access from outside to our site.
my problem is:
when i connected vpn, i want to access webserver, open explorer and type 192.168.14.229:8881
but i can not access.
i do not want to use split tunnel. how i solve this issue?
please help me.
i can not access we
09-15-2011 04:59 AM
The problem here the server get nated before being encapsulated into the VPN tunnel
What you can do is policy static nat as per bellow
Ip access-list 100 permit ip 192.168.14.0 0.0.0.255 10.10.10.0 0.0.0.255
Route-map nat deny 10
Match ip address 100
Route-map nat permit 20
Ip nat inside source static tcp 192.168.14.229 8881 71.x.x.x 8881 route-map nat
Make sure you clear the current nating translation table after you add this command
Hope this help
If helpful rate
09-15-2011 05:18 AM
yes i aggree with you.i know l must to do policy nat i do not know how write it so you can help me.
1.Ip access-list 100 permit ip 192.168.14.0 0.0.0.255 10.10.10.0 0.0.0.255
why this access list we used permit command not deny command??
2. Route-map nat deny 10
Match ip address 100
we write the name of route map deny but at access-list we use permit command ??
3. Route-map nat permit 20
where we used this route map??
thanks
09-15-2011 05:39 AM
Ok
With ACL and route maps you can use permit on the ACL to match the traffic and deny on the route map to deny the matched traffic in the ACL
And you can do it the other way around
The other route map sequence 20 it means permit anything else like the pemirt any any in the acl as we had first one deny
In brief the above config match the ACL 100 and excluded it from being anted and the. Nat anything else
Hope this help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide