Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3583
Views
0
Helpful
3
Replies

Static Policy-nat on Cisco IOS issues

lap
Level 2
Level 2

‎10-05-2010 07:39 AM - edited ‎03-06-2019 01:19 PM

Hi all,

I have some static policy-nat issue on a Cisco IOS router (2921). I attach first of all the drawing which include the configuration (only for Site A):

Troubleshooting_PolicyNat.jpeg

So my issue is that when Server 1 is trying to telnet to 10.141.60.98 for example traffic is natted to 10.10.10.2 (inside global) instead of 10.131.50.88.

As soon as I do: ip nat inside source static 192.168.107.15 10.131.50.88 traffic is natted correctly and the IPsec tunnel comes up. But of course I don't want all the traffic from 192.168.107.15 to be natted to 10.131.50.88, only traffic with IP destination 10.141.60.98 that why I was using static policy-nat.

Any idea why that is happening?

Best Regards,

Laurent

Labels:
Preview file
729 KB
0 Helpful
3 Replies 3

lap
Level 2
Level 2

‎10-05-2010 11:41 AM

Hi,

I add a litte correction to my previous post:

I said in my previoius post:

"As soon as I do: ip nat  inside source static 192.168.107.15 10.131.50.88 traffic is natted correctly and the IPsec  tunnel comes up."

That is actually wrong! The tunnel will not come up in both case. I can see that traffic initiated by server 1 (192.168.107.15) to destination 10.141.60.98 is natted to 10.131.50.88 from the debug output but that is it! the tunnel won't come up.

That is strange because in the crypto ACL : Crypto_Map_ToSiteB I can see that the ACL is hitted by packets so there is something wrong somewhere!

Any ideas?

Best regards,

Laurent

0 Helpful

lap
Level 2
Level 2
In response to lap

‎10-05-2010 12:47 PM

Hi,

So I fixed the issue. the problem was that I had to deny the IP src (192.168.107.15) and IP dst (10.141.60.98) from being natted in the general Nat rule.

Kind of weird because in ASA you don´t need to do that .

Good to know anyway the difference in config between Cisco IOS router and Cisco ASA.

Best Regards,

Laurent

0 Helpful

Philipp Philippov
Level 1
Level 1
In response to lap

‎03-12-2013 02:14 AM

lap@axcess.dk Thank you for your post! It helped me a lot. I have pretty much the same configuration. I added a deny rule for general overload NAT rule. Wrote a small post about it:

http://philozow.com/2013/03/12/cisco-ios-policy-static-nat-with-ipsec/

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card