VPN+NAT on the same router

Report Inappropriate Content · ‎11-09-2005

Hello!

I configure the VPN IPsec and NAT feature on the same router. I would that traffic which going to my site via VPN shouldn't be nating but traffic to Internet should. How I should configure my router to resolve problem?

Thanks a lot

m.sir · ‎11-10-2005

You can use route map for bypassing NAT

For example You have local site 10.17.234.0 and remote VPN site 10.17.192.0

1)create simple route map

route-map nonat permit 10

match ip address 130

2) Create extended access-list

access-list 130 deny ip 10.17.234.0 0.0.0.255 10.17.192.0 0.0.31.255

access-list 130 permit ip 10.17.234.0 0.0.0.255 any

first row with deny statement says dont NAT traffic between source networks 10.17.234.0 a 10.17.192.0 and second row says NAT all other traffic from 10.17.234.0

3) Create following NAT rule with route map (in this case outside E0 is over loaded)

ip nat inside source route-map nonat interface Ethernet0 overload

HTH

jackko · ‎11-10-2005

below is the sample code:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address no-xauth

crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap 20 ipsec-isakmp

set peer

set transform-set superset

match address 140

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Dialer0

ip address

ip nat outside

crypto map flxmap

ip local pool vpnpool 10.1.1.1 10.1.1.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

route-map nonat permit 10

match ip address 101

in particular, the route-map nonat and the acl 101 addresses your issue. the first two entries specifies no nat with packet destined for the vpn peer site and the remote vpn client pool; and the third entry specifies the pix to pat the rest of the traffic.

Report Inappropriate Content · ‎11-10-2005

Once again thanks a lot.

Dominik

jackko · ‎11-10-2005

have you give it a go already? does it work as required?

jackko · ‎11-17-2005

just wondering how you go.

Report Inappropriate Content · ‎01-30-2006

I have situation like this I have looback 0 interface where i put ip nat inside and remote access VPN client. When I ping host A from the inside ip address of looback 0 interface (10.0.1.1) via extanded ping NAT works fine. But after established VPN connection between VPN remote client and server and from PC I ping the same host A NAT not work. I sniff traffi on the host A and I see IP address from network 10.0.1.0/24.

How inthis situation I must configure NAT? I want also that PC wiche connect and esatblish VPN tunel to router can ping host A but from ip nay outside interface (overload on fa0/0 example 192.168.1.1) not form IP from local pool which router give him.