Cisco 1841 NAT Statement

Nicholas Beard · ‎02-09-2011

I am looking for some help regarding a NAT statement, to prevent some statically NAT'd servers from translating through a VPN tunnel.

I have an overload PAT which references a route map which in turn references an access list as follows -

ip nat inside source route-map RMAP1 interface FastEthernet0 overload

route-map RMAP1 permit 10

match ip address 105

access-list 105 deny ip 192.168.1.x 0.0.0.255 192.168.2.x 0.0.0.255

access-list 105 permit ip 192.168.1.x 0.0.0.255 any

Traffic from the network which matches the PAT statement, successfully traverses the VPN Site to Site Tunnel without being NAT'd.

My problem is with the static NAT translations. I have two servers which are statically NAT'd as follows -

ip nat inside source static network 192.168.1.x 87.83.x.x /32

I basically need to know the necessary NAT statements required to prevent the servers from being NAT'd through the tunnel.

Any help would be greatly appreciated.

Latchum Naidu · ‎02-09-2011

Hi,

What type of tunnel you have? if it is ipsec then please do like bwllow...
What ports you want allow through NAT, I mean do you need PAT?
If yes please specify the port numbers here or you can mentioned those ports number at end of the accesslist saying like "eq 443".

If there is no PAT only open NAT then create a accesslist like below...

access-list 105 deny 192.168.1.x any
access-list 105 deny 192.168.1.x any

Under the tunnel apply the above accesslist like below...

crypto map vpn 4 ipsec-isakmp
set peer 15.15.15.1
set transform-set xxxxxxxx
match address 105

Hope this helps you.
Please rate the helpfull posts.

Regards,
Naidu.

Nicholas Beard · ‎02-09-2011

It is an IPSec Site to Site Tunnel

Site #1 - 192.168.1.x/24

Site #2 - 192..168.2.x/24

I have two one to one NAT statements for two servers on the LAN at 192.168.1.x/24 as follows -

ip nat inside source static 192.168.1.x 87.83.x.x /32

I then have a NAT overload which translates ALL hosts on the inside network to the outside interface of the router -

ip nat inside source route-map RMAP1 interface FastEthernet0 overload

The route map that is called by the above NAT overload statement then matches the access list 105 as follows -

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 permit ip 192.168.1.0 0.0.0.255 any

The crypto map is specifed as follows -

crypto map VPNCMAP1 1 ipsec-isakmp
description VPN Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set X-X-X
match address 109

The access list referred to in the crypto map is as follows -

access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

The problem i am encoutering is ONLY with the two servers that have one to one NAT statements. The router tries to NAT these down the VPN tunnel therefore causing remote hosts to be unable to access them. What I believe i need to do is create NAT statements which exempts the servers from being NAT'd when accessing the 192.168.2.0/24 network.

Latchum Naidu · ‎02-09-2011

Hi,

The config what you have is looks fine and do the NAT except like below will help you...

And I hope the public Nated IP and your router public IP which is remote site using as a peer is not same.

What would be the best way to go with setting up NATing bypass on a router. Is it just a matter of changing the entries in the access-list with Deny statements of the subnets you'd like to exempt from NAT translations and keep all other configs the same?

Define the range of local addresses permitted to participate in the translation using an access-list.

Router(config)#access-list NO 105 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#access-list NO deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

where, NO is the number of the access-list, which is usually a standard access list

Now Associate the pool and the local range in a dynamic NAT translation command,

Router(config)#ip nat inside source list NO interface TYPE INTNO overload

Please rate the helpfull posts.

Regards,
Naidu.

Nicholas Beard · ‎02-14-2011

Yes this is exactly what i have done; traffic from 192.168.1.x/24 passing over the VPN tunnel to 192.168.2.x/24 is working successfully. However, I still have a problem with the two servers which are statically NAT'd.

The NAT statements are as follows -

ip nat inside source static network 192.168.1.x 87.83.x.x /32
ip nat inside source static network 192.168.1.x 87.83.x.x /32

Both of the statically NAT'd servers above cannot access the VPN tunnel because they are being NAT'd. The access list referenced in the overload statement is 105 which is as follows -

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any

But this does not include the two statically NAT'd servers therefore what i am looking for is the command to exclude the two servers above. Do i need to write seperate NAT statements to prevent these servers from being NAT'd through the tunnel?

Latchum Naidu · ‎02-14-2011

Yes, that could work out...

Also change the access-list 105 order like below, please do it first and see...

access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Please rate the helpfull posts.

Regards,

Naidu.

Nicholas Beard · ‎02-14-2011

I have managed to find the correct configuration, thank you for your help.

ip nat inside source static 192.168.1.x 87.83.x.x /32 route-map R_MAP_1

The above NAT statements reference the route-map which controls the traffic -

route-map R_MAP_1 permit 1

match ip address 105

The above route map references the access-list 105 which is as follows -

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any

By calling the route map within the static NAT statements cause the traffic to not be NAT'd through the tunnel.