Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
2
Replies

help with nat rule

Go to solution
huwyhuwy123
Level 1
Level 1

‎06-09-2013 01:56 PM

hi there,

Am trying to create a second VPN connection on our companies cisco PIX. It almost works but I am having problems getting the nat rules to work for both VPNs.

The config is attached but the key areas are below.

access-list LeasedLine_20_cryptomap extended permit ip 192.168.60.0 255.255.255.0 London 255.255.255.0

access-list LeasedLine_40_cryptomap extended permit ip object-group LAN_subnet object-group InsightLAN

nat (inside) 0 access-list LeasedLine_20_cryptomap

nat (inside) 101 192.168.60.0 255.255.255.0

nat (DMZ) 101 172.30.60.0 255.255.255.0

nat (GM3) 101 192.168.70.0 255.255.255.0

crypto map LeasedLine_map 20 match address LeasedLine_20_cryptomap

crypto map LeasedLine_map 20 set peer 161.xxx.106.34

crypto map LeasedLine_map 20 set transform-set ESP-3DES-MD5

crypto map LeasedLine_map 40 match address LeasedLine_40_cryptomap

crypto map LeasedLine_map 40 set peer 213.xxx172.253

crypto map LeasedLine_map 40 set transform-set ESP-AES-128-SHA

The problem I have is with the nat (inside) 0 command. If I add the command

nat (inside) 0 access-list LeasedLine_40_cryptomap the 2nd VPN (insight) works but the first one stops working.

Can anyone help me to get this working?

Cheers,

Al

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-09-2013 02:11 PM

Hi,

You cant have multiple configurations which have "nat (inside) 0 access-list"

Instead of this you use a single ACL to define the traffic you dont want to NAT. Or for which you want to do NAT0 for.

So you can do this for example

access-list INSIDE-NAT0 extended permit ip 192.168.60.0 255.255.255.0 London 255.255.255.0

access-list INSIDE-NAT0 extended permit ip object-group LAN_subnet object-group InsightLAN

nat (inside) 0 access-list INSIDE-NAT0

And both connections should work just fine.

If you ever happened to configure a third VPN connection for example you would simply add another line to the same ACL.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-09-2013 02:11 PM

Hi,

You cant have multiple configurations which have "nat (inside) 0 access-list"

Instead of this you use a single ACL to define the traffic you dont want to NAT. Or for which you want to do NAT0 for.

So you can do this for example

access-list INSIDE-NAT0 extended permit ip 192.168.60.0 255.255.255.0 London 255.255.255.0

access-list INSIDE-NAT0 extended permit ip object-group LAN_subnet object-group InsightLAN

nat (inside) 0 access-list INSIDE-NAT0

And both connections should work just fine.

If you ever happened to configure a third VPN connection for example you would simply add another line to the same ACL.

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

0 Helpful

Go to solution
huwyhuwy123
Level 1
Level 1
In response to Jouni Forss

‎06-09-2013 02:19 PM

Thats awesome. Thanks a lot.

0 Helpful
Customers Also Viewed These Support Documents