Re: How to disable dynamic NAT?

o.litschka · ‎08-16-2004

Hi NetPros,

I've got a 836 wich connects via a Easy VPN to a VPN Concentrator 3005. At first I configured the router to tunnel everything, but after encountering serveral difficulties I decided to do split tunneling.

The Problem is:

After activating split tunneling the router does NAT automatically (not configured) for the destination, which are not to be reached through the tunnel.

Is there any possibility to deactivate this dynamic NAT?

Cheers

Olaf

ovt · ‎08-17-2004

I have the same problem. It seems there is no elegant way to do this. As a workaround:

interface Loopback10

ip address 10.1.1.1 255.255.255.255

interface FastEthernet0/0

ip address 192.168.1.5 255.255.255.0

ip policy route-map police

crypto ipsec client ezvpn client1 inside

interface FastEthernet0/1

ip address 172.16.1.5 255.255.255.0

crypto ipsec client ezvpn client1

access-list 123 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 123 permit ip 192.168.1.0 0.0.0.255 any

route-map police permit 10

match ip address 123

set interface Loopback10

I.e. policy route Internet traffic to the loopback10 which will not have "ip nat inside" defined by EzVPN.

Or, better call Cisco to enhance their EzVPN client.

HTH,

Oleg Tipisov,

REDCENTER,

Moscow

o.litschka · ‎08-17-2004

...I've got another workaround as well: ;-)

ip access-list extended vpn-in

permit esp any any

permit udp any any eq isakmp

permit ahp any any

permit ip 10.0.0.0 0.255.255.255 any

permit icmp 10.0.0.0 0.255.255.255 any

ip access-list extended vpn-out

permit ip any 10.0.0.0 0.255.255.255

permit icmp any 10.0.0.0 0.255.255.255

interface dialer 1

ip access-group vpn-in in

ip access-group vpn-out out

ovt · ‎08-17-2004

Wow! This workaround definitely works too ;) !