Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
2
Replies

Help me understand a NAT/VPN issue

Go to solution
jesper_petersen
Level 1
Level 1

‎03-07-2009 12:41 PM - edited ‎03-06-2019 04:27 AM

Hello all,

I've stumbled upon something that I cannot explain and I could use some help in order to understand what is happening :)

The problem, as I see it, is as follows (in short terms):

My router seems to do NAT on the return packets on an incoming connection that arrives via the VPN connection. This only happens to packets that are using ports that I have forwarded using ip nat inside source static...

I am using nat exempt for the VPN connections. The NAT exempts are working just fine except when they seem to "collide" with port forwardings.

This translation entry is listed after i try to telnet from a 10.0.0.x host to 10.45.131.23 port 80:

Cisco_1811#sh ip nat t | inc 10.0.0.

tcp 172.16.0.64:80 10.45.131.23:80 10.0.0.6:1872 10.0.0.6:1872

How can I make the router not do NAT at all on the VPN connections?

I'm suspecting it's because I'm using route-map instead of lists in the NAT overload statement.

P.S.

The router has 172.16.0.64 as its "public" ip and the config is attached to this message.

Labels:
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7

‎03-07-2009 07:04 PM

You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx

By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Yudong Wu
Level 7
Level 7

‎03-07-2009 07:04 PM

You can try to add a route-map which will deny all VPN related traffic on all static nat entries.

ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx

By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.

0 Helpful

Go to solution
jesper_petersen
Level 1
Level 1
In response to Yudong Wu

‎06-18-2010 04:19 AM 

kwu2 wrote:
You can try to add a route-map which will deny all VPN related traffic on all static nat entries.
ip nat inside source static tcp 1.1.1.1 80 2.2.2.2 80 route-map xxx
By the way, It seems your vpn config is incomplete. I did not see pre-share key and peer ip are configured.


Hi kwu2

Just wanted to thank you. You were correct

And for others in the same sitaution here is a link to a blog that describes the problem and fix.

http://www.ciskoblog.com/2008/02/static-nat-inac.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card