Nat Issue with VPN - Cisco don't know

cameronjohn · ‎11-18-2006

I have seen 3-4 posts with the same problem. No one, even cisco don't know the fix.

Using a cisco VPN client to a cisco router. I have put in no nat so I can ping the internal machines via ip and DNS name. The client has Nat Transparency but that doesn't matter. I have seen this setup working with netscreens which support nat traversal.

Relevant config

ip nat inside source static tcp 192.168.94.3 3389 interface Dialer2 3389

ip nat inside source route-map nonat interface Dialer2 overload

access-list 101 remark *** Deny Nat for VPN traffic and Allow normal traffic***

access-list 101 deny ip 192.168.94.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 101 permit ip 192.168.94.0 0.0.0.255 any

Removing the static NAT resolves the problem but I need the nat statement in there.

thanks

thomas.feichter · ‎11-19-2006

Hi,

I had solved a similar problem with a site-to-site VPN and NAT. Ex: NAT for TCP 3389 from external works, on the VPN doesn?t. Remove the NAT, works on VPN..

The workaround (from Cisco TAC):

route-map STATIC permit 10

match ip address 160

set interface loopback10

int loop 10

ip add 1.1.1.1 255.255.255.255

access-list 160 permit ip host 192.168.94.3 172.16.0.0 0.0.255.255

int eth0 (your inside interface!)

ip policy route-map static

Maybe helps..

Regards,

Thomas

cameronjohn · ‎11-25-2006

Hey Thomas.

Just wanted to say that resolved my problem.

thanks for posting.

PETER KNOWLES · ‎01-02-2007

Is there a more complete write or documentation on this?

I tried fitting this to our situation but traffic still does not pass.

We are trying to pass traffic for a host that has a public static NAT through a LAN-to-LAN VPN.

cameronjohn · ‎01-02-2007

Try this link:

http://www.cisco.com/warp/public/707/static.html

I had statics that were using the dialer Interface so I didn't need to use the above.