IOS doesn't allow you to configure route-map if you don't specify an IP address in a NAT rule...
I tried this configuration in a lab environment, maybe can help you:
### INSIDE INTERFACE ### interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 secondary //this IP emulates the static nat host ip address 10.1.1.254 255.255.255.0 ip nat inside ### OUTSIDE INTERFACE - static host nat performed on this interface ### interface FastEthernet0/1 ip address 188.8.131.52 255.255.255.252 ip nat outside
### Loopback0 interface - global NAT performed on this interface ###
interface Loopback0 ip address 184.108.40.206 255.255.255.255
### GLOBAL NAT ACL ### ip access-list extended nat deny ip host 10.1.1.1 any permit ip 10.1.1.0 0.0.0.255 any ### Global NAT ### ip nat inside source list nat interface Loopback0 overload R1#ping 10.0.0.1 source 10.1.1.254 [...] R1#sh ip nat translation Pro Inside global Inside local Outside local Outside global icmp 220.127.116.11:15 10.1.1.254:15 10.0.0.1:15 10.0.0.1:15
### ACL to NAT SINGLE HOST ### ip access-list extended NAT-HOST deny ip host 10.1.1.1 10.0.0.0 0.255.255.255 //10.0.0.0/8 -> vpn remote net permit ip host 10.1.1.1 any ### Single host NAT ### ip nat inside source list NAT-HOST interface FastEthernet0/1 overload R1#ping 10.0.0.1 source 10.1.1.1 [...] R1#sh ip nat tr R1# R1#ping 18.104.22.168 source 10.1.1.1 [...] R1#sh ip nat tr Pro Inside global Inside local Outside local Outside global icmp 22.214.171.124:17 10.1.1.1:17 126.96.36.199:17 188.8.131.52:17
I hope this configuration con be helpful.
... View more
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the host.
Same result trying to connect to ports involved in port forwarding.
Everything excluded by static NAT or port-forwarding was reachable instead.
I noticed that the router performed nat on return traffic when I tried to reach hosts involved in static nat through vpn.
This was because i specified a no-nat rule, but it was applied only to the global nat rule, while static nat and port-forwarding had their own rules fixed static in nat table.
This is the configuration I used to fix this situation:
STATIC NAT IP <-> IP ! ip access-list extended NAT deny ip [local-network] [local-wildcard] [vpn-network] [vpn-wildcard] permit ip [local-network] [local-wildcard] any ! route-map NAT permit 10 match ip address NAT ! ip nat inside source static [local-ip] [global-ip] route-map NAT
PORT-FORWARDING IP:PORT <-> IP:PORT ! ip access-list extended nonat-vpn deny tcp host [host-ip] eq [port] [vpn-network] [vpn-wildcard] permit tcp host [host-ip] eq [port] any ! route-map nonat-vpn permit 10 match ip address nonat-vpn ! ip nat inside source static tcp [local-ip] [local-port] [global-ip] [global-port] route-map nonat-vpn extendable
... View more
Hi Did you configure subinterfaces on router's g0/1? You need a subinterface for each vlan you configured. You have also to configure the ip helper-address on the router's subinterfaces, not on the switch ports. Jacopo
... View more
Packet loss with local-proxy-arp enabled Hi all I want to expose you an issue i found using local-proxy-arp in a vpn remote access. The difference between local proxy-arp and local-proxy-arp is that using normal proxy arp the router sets his mac-address to a REMOTE network IP address, while in local-proxy-arp the router sets its own mac-address to an IP address in his same subnet. In my case i configured a router cisco 1720 as remote-access-vpn-server in the subnet 192.168.0.0/24, where the default gateway of this network is the 192.168.0.254. The ra pool couldn't be out of the 192.168.0.0/24 subnet, because clients had configured IP .254 as default gateway and the installation of the vpn-server had to be transparent to normal operations. If I had configured an external pool, the vpn wouldn't work, because clients would send the traffic to the default gateway and in turn would drop the traffic because he hadn't any route to vpn pool. Diagnosis Setting a local remote access pool, clients mad arp requests to find IP addresses in the local network but nobody replied them because the vpn-server didn't know the real mac address of the pool's IP. On cisco routers proxy arp is enabled by default, but 'local-proxy-arp' isn't. When i enabled local-proxy-arp in interface config mode, clients in local network begun to reply to my pc connected through vpn. However i noticed that 50% of icmp packets i sent was not received, precisely a packet was delivered and a packet not, alternately. This was because the vpn-server didn't know the real mac-addresses of vpn clients, so creates arp request to every packet itself. Solution Solution has been to set static mac-addresses in the arp table of the cisco 1720 vpn-server so that he didn't need to produce arp requests to vpn clients connected and there is no more packet loss. This is the command to set static arp entries: arp [ip address] [mac-address] ARPA I disabled even 'ip redirects' on the interface. Hope this topic can be useful. Regards, Jacopo
... View more