No announcement yet.

Cisco 871 VPN & NAT

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 871 VPN & NAT

    Hi there,

    I have several Cisco routers model 871 on several offices with the following IOS: c870-advipservicesk9-mz.124-4.T8.bin

    They have vpn site-to-site tunnels configured between them. These tunnels, the encryption and the transformation sets are running normally without problems.

    The problem is with the traffic between sites.
    When NAT is enabled on each router the vpn tunnels can be established but there's no connectivity between each office.
    When NAT is disabled the vpn tunnels and the network traffic between offices can be established, but there's no internet access from user's computers, obviously.

    The SDM Software told me about the protection of the NAT's ACLs from the VPN's ACL, but doesn't work.

    If it is necessary I can upload one of the Startup-configuration files.

    How can I enable both services at the same time? is that possible?

    Thank you in advance.

  • #2
    Re: Cisco 871 VPN & NAT

    Use a route-map on your nat overload statement. Example:

    ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload
    Where the route-map is specified as:
    route-map NONAT_NAT permit 1
     match ip address nonat_nat
    ...and the nonat_nat ACL:
    ip access-list extended nonat_nat
     remark NOTE: Since this router is acting as both a VPN endpoint and
     remark a firewall with a single IP address (overload/PAT), encrypted
     remark VPN traffic should not be NAT'd (deny) while traffic to the
     remark internet should (permit).
     remark .
     remark ..
     remark No NAT local network to remote vpn network (rfc1918) 
     deny   ip
     deny   ip
     deny   ip
     remark ...
     remark NAT local network to Internet
     permit ip any
    NOTE: The deny section of the nonat_nat ACL needs to match the "interesting traffic" specified in the crypto map. ie. Traffic2Encrypt

    Based on your post, it sounds like this ACL is already working. Use it as a template to create the noat_nat acl and change the permits to deny's. Then add the final permit as shown above for nat'd internet traffic.

    Good luck!


    • #3
      Re: Cisco 871 VPN & NAT

      Thank you scowles,
      With your help now I have connectivity to both networks. Users can reach the internet and the traffic between sites are running well. Thanks

      Now I want to have access to site's networks from the router itself, in order to provide some kind of provisioning on them with a TFTP Server.

      From the router console I can't do ping against any host on any site's network.

      Thank you in advance


      • #4
        Re: Cisco 871 VPN & NAT

        Glad to hear that worked!

        When using ping from the router, try changing the source interface to inside. Example:

        #sh ip int brief | inc BVI3
        BVI3                YES NVRAM  up                    up
        fw-steve#ping source BVI3
        Type escape sequence to abort.
        Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
        Packet sent with a source address of 
        Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/12 ms

        Same thing with tftp

        (config)#ip tftp source-interface BVI3