Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
5
Replies

Unable to access internet after applying NAT in site to site VPN

rituporna111
Level 1
Level 1

‎04-08-2016 11:33 PM

Hi Team,

In my current configuration VPN is working fine.

The nat i had applied is -

ip nat inside source static 10.10.10.9 20.20.20.1 extendable.

The other side network of the VPN is for example 30.30.30.0

Site to site VPN is working very fine now and in my end network from server 10.10.10.9 other end VPN server 30.30.30.5 is reachable.

But the requirement is now we need internet access in the server 10.10.10.9 as well as VPN reachability to 30.30.30.0 network.

Then I had applied following nat,

ip nat inside source static tcp 10.10.10.9 443 20.20.20.1 443

ip nat inside source static tcp 10.10.10.9 80 20.20.20.1 80

After this configuration internet is available in 10.10.10.9 server but we cant able to reach to the other end server that is 30.30.30.5 which was reachable previously.

Kindly let me know what are the configuration need to be done.

Thanks and Regards,

Rituporna Sarma

Labels:
0 Helpful
5 Replies 5

salman abid
Level 1
Level 1

‎04-09-2016 06:18 AM

you need to configure NAT-zero/ NAT exempt and that you need to mention VPN interesting traffic then your VPN traffic will not be nated and will pass through tunnel.

On ASA you can easily configure NAT 0 but since you are doing it on router so you configure an ACL like below

ip access-list ext NAT_ACL

deny ip host 10.10.10.9 30.30.30.0 0.0.0.255

permit tcp host 10.10.10.9 any eq 80

permit tcp host 10.10.10.9 any eq 443

then configure NAT

ip nat inside source list NAT_ACL interface/pool

let me know if this will be helpful for you or not?

0 Helpful

rituporna111
Level 1
Level 1
In response to salman abid

‎04-11-2016 02:04 AM

Hi Salman,

Thanks for your support.

After applying this access list and nat,internet was available on that 10.10.10.9 server but cant able to reach to this 30.30.30.5 server.

0 Helpful

rituporna111
Level 1
Level 1
In response to salman abid

‎04-11-2016 03:56 AM

Hi salman,

I need to clarify one more thing the other end that is 30.30.30.0 network is connected through site to site VPN.

0 Helpful

salman abid
Level 1
Level 1
In response to rituporna111

‎04-11-2016 11:17 AM

configure the mirror image of same ACL on other side

***please rate the answer correct***

0 Helpful

rituporna111
Level 1
Level 1
In response to salman abid

‎04-12-2016 04:59 AM

Hi Salman,

Let me clarify the scenario here and issue we are facing:

Our internal server  IP is 10.10.10.9 and we have site-to-site VPN connectivity to other site over IPSEC tunnel.

As our internal IP which is mentioned above (10.10.10.9) is getting clashed in other end network so they have suggested us to do a NAT in our inside to a IP given of their range i.e.172.29.240.2

For accessibility of the server from other network via S2S VPN; we have done the nating as follows:

ip nat inside source static 10.10.10.9 172.29.240.2 extendable

Now via VPN connectivity other end are able to reach our internal server whereas we are also able to reach other end server.

Now there's a requirement of internet on our internal server: 10.10.10.9 for which we have tried but internet is not working.

Only the internet is working on the particular server: 10.10.10.9 when we are disabling the "ip nat inside source static 10.10.10.9 172.29.240.2 extendable".

If internet is working; server is not reachable via VPN and vice versa.

Hence we need to know the procedure/configuration so that both internet also should work as well as internal server also should be reachable from other end via S2S vpn.

Please respond....

0 Helpful
Customers Also Viewed These Support Documents