DanSheppers
asked on
Cisco 871 Route map and NAT translation
Alright, well here is my problem
I have a Cisco 871 router, with a site-to-site VPN setup as well.
My problem starts when I set the NAT to work in conjunction with the VPN using a route-map command.
doing:
no ip nat inside source list NAT interface Dialer0 overload
ip nat inside source route-map RMAP interface Dialer0 overload
Clears all NAT translations(when I select yes of course) and then new ones just are not created. Now, here is the weird part of it. A extended ping from vlan1 works. The NAT entry is created. Just computers behind it do not create the NAT entry at all.
We also have a Cisco SR2016 behind this 871.
I have a Cisco 871 router, with a site-to-site VPN setup as well.
My problem starts when I set the NAT to work in conjunction with the VPN using a route-map command.
doing:
no ip nat inside source list NAT interface Dialer0 overload
ip nat inside source route-map RMAP interface Dialer0 overload
Clears all NAT translations(when I select yes of course) and then new ones just are not created. Now, here is the weird part of it. A extended ping from vlan1 works. The NAT entry is created. Just computers behind it do not create the NAT entry at all.
We also have a Cisco SR2016 behind this 871.
Building configuration...
Current configuration : 4971 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname glacial
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3335385067
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3335385067
revocation-check none
rsakeypair TP-self-signed-3335385067
!
!
crypto pki certificate chain TP-self-signed-3335385067
certificate self-signed 01
#
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.0.1
ip dhcp excluded-address 10.1.0.2
!
ip dhcp pool default-pool
import all
network 10.1.0.0 255.255.255.0
domain-name ehc.local
default-router 10.1.0.1
dns-server 10.0.0.160 142.161.130.155
netbios-name-server 10.0.0.160
!
!
ip domain name ehc.local
ip name-server 10.0.0.160
ip name-server 142.161.130.155
!
!
!
username # privilege 15 secret 5 #
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key * address 205.200.#.##
crypto isakmp fragmentation
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map DomainTunnel 1 ipsec-isakmp
description Tunnel to 205.200.#.##
set peer 205.200.#.##
set transform-set ESP-3DES-SHA2
match address Tunnel-Access
!
archive
log config
hidekeys
!
!
ip ssh rsa keypair-name glacial.ehc.local
ip ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Vlan1
description Glacial Aggregates Network
ip address 10.1.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
description PPPoE Connection to MTS
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname #
ppp chap password 0 #
crypto map DomainTunnel
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip dns spoofing
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list extended MGMT_ACCESS
permit ip host 205.200.66.189 any log
permit ip 0.0.0.0 255.255.255.0 any log
deny ip any any log
ip access-list extended NAT
permit ip 10.1.0.0 0.0.0.255 any
ip access-list extended RMAP
deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255 log
permit ip 10.1.0.0 0.0.0.255 any log
ip access-list extended Tunnel-Access
remark Tunnel Encapsulation Rule
permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255 log
deny ip any any log
ip access-list extended firewall-in-out
permit tcp any any reflect tcptraffic
permit udp any any reflect udptraffic
permit icmp any any reflect icmptraffic
ip access-list extended firewall-out-in
evaluate tcptraffic
evaluate udptraffic
evaluate icmptraffic
deny ip any any log
!
!
!
route-map RMAP permit 1
match ip address RMAP
!
!
control-plane
!
banner login ^C
Welcome to the Glacial Aggregates Router. Authorized Access Only^C
!
line con 0
login local
no modem enable
line aux 0
login local
line vty 0 4
access-class MGMT_ACCESS in
login local
transport input ssh
transport output none
!
scheduler max-task-time 5000
ntp clock-period 17179871
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.