i am trying to setup vpn between asa and cicso 877 router (in the pas i have setupo between asa and asa, pix and pix but not between asa and router)
I am confused with the nonat concept in cisco router (for vpn). i mean why do you need a route-map and deny the traffic. could you throw some light on this ?
Same as on ASA/PIX NAT is performed before encryption and after decryption.
How you will define traffic not to his NAT (or to hit it) is up to you, routing (VTI/GRE interface), access-list or route-map.
There is no concept of "no nat" on IOS routers.
ip nat inside source route-map nonat interface FastEthernet0 overload
access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit ip 10.20.10.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
or better (if you have for example the IP public 220.127.116.11)
ip nat pool 18.104.22.168 22.214.171.124 126.96.36.199 prefix-length 30
ip nat inside source list nat-to-internet pool 188.8.131.52 overload
ip access-list extended nat-to-internet
deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.20.10.0 0.0.0.255 any
deny ip any any
All inside hosts 10.20.10.0/24
will be NOT natted when reach
and will be natted with
when reach all other IP
Note: on the link
I presume there's a mistake: missing the interfaces command "ip nat inside" / "ip nat outside"