Solved: Hi Eric,

ericw · ‎09-25-2014

Hello,

I've had a SonicWALL to SonicWALL VPN up and running for a few years, with network 192.168.5.x at my office able to access 192.168.6.x and 192.168.70.x at my datacenter. Now the SonicWALL at my office needs to be replaced with a 2811, and I need to keep the VPN tunnel and working.

My 2811 is currently doing NAT, and I have the VPN tunnel up, but no traffic is passing. I believe I've troubleshot it down to a NoNAT problem, and I don't know how to resolve with ACL's although I used to know how to do it on PIX.

What lines of code do I need to allow my office network (192.168.5.x) to access the datacenter network (192.168.6.x and 70.x)? There are currently no ACL's applied to the WAN interface at all, and I only have one static IP.

nkarthikeyan · ‎09-25-2014

Hi Eric,

access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.70.0 0.0.0.255


access-list 111 permit ip 192.168.5.0 0.0.0.255  any
route-map nonat permit 10
 match ip address 111

!

ip nat inside source route-map nonat interface <WAN Interface> overload

So this means whatever denied in Route-map ACL will be denied from NATing when it matches the specific rule and it goes as it is....

Regards

Karthik

View solution in original post

nkarthikeyan · ‎09-25-2014

Hi Eric,

access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 111 deny ip 192.168.5.0 0.0.0.255 192.168.70.0 0.0.0.255


access-list 111 permit ip 192.168.5.0 0.0.0.255  any
route-map nonat permit 10
 match ip address 111

!

ip nat inside source route-map nonat interface <WAN Interface> overload

So this means whatever denied in Route-map ACL will be denied from NATing when it matches the specific rule and it goes as it is....

Regards

Karthik

VPN NoNAT on 2811