Search this Blog

Monday, November 23, 2009

How to configure the router to NAT the traffic destined for the VPN tunnel and still access the Internet using the dynamic NAT on FastEthernet0/1?


We have a server with an IP address of 192.168.1.9 that needs to access a remote subnet of 192.168.50.0/24, across the Internet. However, before the server can access the remote subnet, the server's IP address needs to be NAT'ed to 10.1.0.1 because the remote VPN gateway (which is not under our control) provides access to other clients that have the same subnet addressing that we do on our LAN.

We have a Cisco 2801 (running c2801-advsecurityk9-mz.124-15.T9.bin) configured to do the NAT. This is the only gateway on our network.

When the server (192.168.1.9) attempts to ping devices on the 192.168.50.0/24 subnet, the VPN tunnel is successfully established. However, after that, the server is no longer able to access the Internet because the NAT translation for 192.168.1.9 has changed from the external IP of the router (FastEthernet0/1) to 10.1.0.1.

Instead of using a pool for NAT
192.168.1.9 -- 10.1.0.1 >> 192.168.50.x
acl 102 permit ip host 192.168.1.9 192.168.50.0 0.0.0.255
route-map RM-STATIC-NAT permit 10
match ip address 102
ip nat inside source static 192.168.1.9 10.1.0.1 route-map RM-STATIC-NAT extendable
acl 101 deny ip host 192.168.1.9 192.168.50.0 0.0.0.255
acl 101 per ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet0/1 overload
***VPN access-list will use the source as 10.1.0.1...***
Whenever you make changes in NAT rules be sure of clearing the nat translations for the ip address/subnet for which rule is defined on router to ensure router creates the correct translation considering all ip nat rules configured on the device.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */