06-13-2013 07:57 AM - edited 03-04-2019 08:11 PM
Hello,
Seemingly simple question here.
I have a internal host (192.168.100.100) that needs to be statically NATed to a external address (222.222.222.222) EXCEPT when going to a subnet across our Site to Site VPN tunnel (192.168.150.0).
This was my setup:
Ip access-list extended NAT-RULE
deny ip host 192.168.100.100 192.168.150.0 0.0.0.255
permit ip host 192.168.100.100 any
permit tcp host 192.168.100.100 any
permit udp host 192.168.100.100 any
Route-map NAT-MAP permit 10
ip match address NAT-RULE
Ip nat inside source static 192.168.100.100 222.222.222.222 route-map NAT-MAP
After putting this in, the host (192.168.100.100) was instead router over my overloaded WAN address (222.222.222.221). I can verify this in the show ip nat translations.
Do I need an extendable command on this?
Currently the setup is:
ip nat inside source static 192.168.100.100 222.222.222.222 extendable
This is working great (with exception of going to the VPN subnet).
Any other reason it was NAT to the overload interface?
06-21-2013 11:20 PM
Hello Jason,
unfortunately you haven't provided the whole NAT configuration we can guess that there is a NAT overload statement using the WAN interface as the public address.
If this is true also the NAT overload statement needs to use an extended ACL and to deny traffic between specific host and destinations that are reached via the VPN tunnel.
If you do so you should be able to see the correct behaviour
Now you are falling back from static NAT to NAT overload for the deny statement in the used route-map
For better troubleshooting use a different ACL and a different route-map to modify the NAT overload statement
Hope to help
Giuseppe
06-22-2013 06:55 AM
I apoligize for that.
There is a NAT rule on the WAN interface with overload:
ip nat inside source list NAT interface GigabitEthernet0/1 overload
Extended IP access list NAT
10 deny ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255 (43931028 matches)
20 permit ip 192.168.100.0 0.0.0.255 any (7221351 matches)
I have the rule exclude any traffic from my LAN going to the VPN LAN which works for all cases accept for the static rule Im trying to create.
Thoughts?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: