04-12-2010 02:45 AM
Hi all,
Below is my site to site vpn configuration on cisco1811. It seem that nat exemption is not configured but my vpn still works. Can you advise how i can configure nat exemption. Thks in advance.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp key xxxxxx address 11.x.x.x
crypto isakmp keepalive 10 3
!
!
crypto ipsec transform-set test esp-3des esp-sha-hmac
!
crypto map test 50 ipsec-isakmp
set peer 11.x.x.x
set security-association lifetime seconds 28800
set transform-set test
set pfs group2
match address testing
!
!
!
!
interface FastEthernet0
description :: connection to Public Internet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map hp
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description :: Local LAN subnet
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0 overload
!
ip access-list extended testing
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
permit ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
!
logging trap debugging
access-list 10 permit x.x.x.x
access-list 101 permit ip x.x.x.0 0.0.0.255 x.x.x.x 0.0.0.3
Solved! Go to Solution.
04-20-2010 03:23 AM
You are absolutely correct on your understanding.
04-12-2010 02:49 AM
You would need to configure deny statement between the site-to-site VPN LANs on ACL 101 for NAT exemption:
ip access-list extended 101
1 deny ip x.x.x.0 0.0.0.255 x.0.0.0 0.255.255.255
04-12-2010 07:44 PM
Hi halijenn,
Is there any command for nat exemption for cisco 1800 series?
In ASA we can use "nat 0".
Thks in advance.
04-12-2010 07:51 PM
Yes, it would be the "deny" statement advise earlier. Just have to make sure that the "deny" access-list comes before the "permit" access-list for your NAT statement.
04-20-2010 12:25 AM
Hi Halijenn,
My apologies for late reply as i was away for reservist and have no access to internet. Could you explain why the deny statement would enable nat exemption? Thks in advance.
04-20-2010 01:32 AM
The "deny" statement will tell the router to bypass the VPN traffic (source subnet and destination subnet) from being NATed.
Here is the sample configuration on router for your reference:
(NB: check out access-list 130 from the above sample config).
Hope that helps.
04-20-2010 02:33 AM
Hi Halijenn,
Thk you very much. Can i confirm if my understanding below is correct.
Hence what the below configuration does is it only does NAT when 10.2.2.0/24 try to access anywhere other than 10.1.1.0/24.
Hence when 10.2.2.0/24 try to access 10.1.1.0/24, NAT is exempted
ip nat inside source route-map nonat pool branch overload
access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 130 permit ip 10.2.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
Hence instead of using route-map, i can use accesslist as shown below right?
"ip nat inside source list 130 interface ethernet0 overload"
04-20-2010 03:23 AM
You are absolutely correct on your understanding.
04-20-2010 03:35 AM
Hi Halijenn,
Now i understand. Thk you!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide