Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1472
Views
0
Helpful
7
Replies

Policy Nat on cisco router

teymur azimov
Level 1
Level 1

‎03-03-2013 10:46 PM

Hi Dears.

I configurated site to site vpn on router. The peer want interesting traffic to our side user subnet must be  10.193.115.11 but our local subnet is

10.103.70.0/24. our local subnet is also access to internet.

local subnet: 10.10.3.70.0/24

peer local  subnet: 10.193.128.11/23

i think that i must be do policy nat.

1. ip access-list extended vpn-traffic  

permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255

2. ip access-list extended nat-ipsec


permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

3.ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240

  ip nat inside source list nat-ipsec pool mswpool


And i have also PAT Nat for local user.

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

ip nat inside source list 100 interface GigabitEthernet0/0 overload

is this configuration rigth?

please write your comment.

thanks.




Labels:
0 Helpful
7 Replies 7

olpeleri
Cisco Employee
Cisco Employee

‎03-04-2013 02:48 AM

Crypto ACL should match the addresses after nat [ not before nat]

0 Helpful

teymur azimov
Level 1
Level 1
In response to olpeleri

‎03-04-2013 02:51 AM

Hi. thank you to reply me. i confuse that, please if it is possibly can you show me.

0 Helpful

olpeleri
Cisco Employee
Cisco Employee
In response to teymur azimov

‎03-04-2013 02:54 AM

My bad...

it looks ok in fact

permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255

0 Helpful

teymur azimov
Level 1
Level 1
In response to olpeleri

‎03-04-2013 03:04 AM

I confuse something my configuration.

local user (10.103.70.0) go internet with PAT nat. it is ok for me.

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

ip nat inside source list 100 interface GigabitEthernet0/0 overload

the second part local user to do second nat which is policy nat.

permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240

  ip nat inside source list nat-ipsec pool mswpool

i want to said that as you see the configuration the same subnet done twice nat.

how is it working?

0 Helpful

teymur azimov
Level 1
Level 1
In response to teymur azimov

‎03-04-2013 03:14 AM

or as you vpn traffic is ok and what about internet access for local user. the configuration PAT NAt is enougth it or  is it correct config?

0 Helpful

olpeleri
Cisco Employee
Cisco Employee
In response to teymur azimov

‎03-04-2013 03:56 AM

U should avoid any ambiguity by having

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

0 Helpful

teymur azimov
Level 1
Level 1
In response to olpeleri

‎03-04-2013 04:12 AM

ok. thanks.

at last our configuration is that:

access-list 100 deny ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

access-list 100 permit ip 10.103.70.0 0.0.0.255 any

ip nat inside source list 100 interface GigabitEthernet0/0 overload

for vpn traffic:

ip nat pool mswpool 10.193.115.1 10.193.115.14  netmask 255.255.255.240

  ip nat inside source list nat-ipsec pool mswpool

ip access-list extended vpn-traffic 

permit ip 10.193.115.0 0.0.0.255  10.193.128.0 0.0.1.255

ip access-list extended nat-ipsec

permit ip 10.103.70.0  0.0.0.255  10.193.128.0 0.0.1.255

you said that this configuration is help me for my aim.

thanks again.

0 Helpful
Customers Also Viewed These Support Documents