Announcement

Collapse
No announcement yet.

Cisco Site-to-site VPN noNAT

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco Site-to-site VPN noNAT

    Hi, I need an answer from a person who really understands how to configure Cisco routers. I have specific problem.
    First of all there is no test enviroment, I have two Cisco routers 2811 in production enviroment, so I must be very careful (Routers are constantly working 24/7).

    My problem is that I need to configure site to site VPN without NAT between these two routers, but with NAT in the one or the other side For the Internet trafic.
    Right now I have site-to-site VPN up and going between two branches but when I am trying to access site (in the other branch) using local ip or (DNS name) I can't because of NAT'ing in the second branch.
    Example:
    from subnet 10.10.10.0 I am trying reach 10.10.11.211. I can ping it but I can not connect throught browser (80 port). I can reach this site only using public address. So I need to exclude NAT'ing for this site from intranet but leave this site accessable for public users.

    If you are willing to help me and have ideas how to fix this I can explain situation in more detail and code.

  • #2
    Re: Cisco Site-to-site VPN noNAT

    I have a recollection that it may be something to do with routemaps ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Cisco Site-to-site VPN noNAT

      I think so to, but how to fix make it work.

      Comment


      • #4
        Re: Cisco Site-to-site VPN noNAT

        When using IOS, NAT exemption is specified in the ACL that is referenced by the NAT overload statement within your configuration. Based on my understanding of your post, you probably already have this ACL defined and referenced in the NAT overload statement. It just needs to be modified to add a "deny" statement for each "permit" statement referenced by the "match address" ACL specifed within the crypto map definition. Whew!!!

        When modifying the ACL,
        deny = NAT exempt
        permit = NAT

        Example: Site 1 = 10.10.10.0/24, Site 2 = 10.10.11.0/24

        Router 1
        Code:
         
        crypto map Site-2-Site 1 ipsec-isakmp 
         description VPN Tunnel to Remote Site
         set peer xx.xx.xx.xx
         set transform-set ESP-3DES-MD5 
         match address acl.Traffic-2-Encrypt
         
        ip nat inside source list acl.LANS-2-NAT interface FastEthernet0/0 overload
        !
        ip access-list extended acl.LANS-2-NAT
         remark Add VPN netblocks to be Excluded from NAT (deny)
         deny ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
         remark Add netblocks to be NAT'd to Internet (permit)
         permit ip 10.10.10.0 0.0.0.255 any
         
        ip access-list extended acl.Traffic-2-Encrypt
         remark Specify the netblocks to be Encrypted
         permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
        ...and on router 2, simply reverse the source/destination netblocks

        Router 2
        Code:
         
         
        crypto map Site-2-Site 1 ipsec-isakmp 
        description VPN Tunnel to Remote Site
        set peer xx.xx.xx.xx
        set transform-set ESP-3DES-MD5 
        match address acl.Traffic-2-Encrypt
         
        ip nat inside source list acl.LANS-2-NAT interface FastEthernet0/0 overload
        !
        ip access-list extended acl.LANS-2-NAT
         remark Add VPN netblocks to be Excluded from NAT (deny)
         deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
         remark Add netblocks to be NAT'd to Internet (permit)
         permit ip 10.10.11.0 0.0.0.255 any
         
        ip access-list extended acl.Traffic-2-Encrypt
         remark Specify the netblocks to be Encrypted
         permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
        If you have multiple netblocks being encrypted, simply add an additional deny for each netblock to the overload ACL. Again, you will need a deny for each entry specifed in the ACL referenced in the crypto map definition.

        You can also substitute a "route-map" on the overload statement instead of the "list", but given my understanding of your post, a simple list/ACL method should work fine.

        Comment

        Working...
        X