cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
429
Views
0
Helpful
3
Replies

VPN Dropp static nat

Tamer Salem
Level 1
Level 1

hi every one .

i have router 2911 configured for site-to-site vpn , and there is web server published with static nat .

when the static nat in place , the remote vpn site cannot access the web server throw vpn

and when i remove the static nat , the remote vpn site can access the web server throw vpn ???

and i need to keep both ( published web server to internet and remote vpn users can access the web server throw vpn)

i'll appreciate any help  !

 

 

3 Replies 3

rvarelac
Level 7
Level 7

 

Hi , 

 

Can you try to perform a NAT IDENTITY to the server, 

Create an ACL with the source and destination IP you don't want to translate and deny that in the ACL and permit any  other traffic which you want to get translated

Create your NAT using that ACL...

Ex: access-list NAT-ACL deny ip 192.168.1.0 0.0.0.255 any

     access-list NAT-ACL permit ip  192.168.2.0 0.0.0.255 any

ip nat inside list nat-acl

Any traffic generated from 192.168.1.0 will not get "Natted" but 192.168.2.0 does.

 

Regards, 

 

 

hi rvarelac  thank you for reply :

i allready done that ,  i put a deny statements in nat access-list excluding the vpn traffic , but the problem still there !

--------------------------------------------------------

crypto isakmp policy 10

 encr aes

 authentication pre-share

crypto isakmp key 12344321 address 1.1.1.1

!

crypto ipsec transform-set Remote-Site esp-aes esp-sha-hmac

 mode tunnel

!

crypto map s2s 100 ipsec-isakmp

 set peer 1.1.1.1

 set transform-set Remote-Site

 match address vpnacl

!

interface GigabitEthernet0/0

 crypto map s2s

!

Extended IP access list lantointernet

30 deny icmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255

40 deny igmp 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255

50 deny ip 172.17.0.0 0.0.1.255 192.168.1.0 0.0.0.255

80 permit ip any any

 

 

 

nkarthikeyan
Level 7
Level 7

Hi,

You can do the nat-exempt / no-nat for the VPN pool. If you do so outside internet to server access would be performed by the defined static nat and no-nat rule will be doing access for the vpn users.

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: