?
Solved

Cisco router 87x - Combining NAT & VPNs

Posted on 2009-05-15
10
Medium Priority
?
506 Views
Last Modified: 2013-11-16
Hi,

We have Cisco 87x routers and 2 sites lets call them siteA and siteB.  There is a Cisco VPN tunnel between siteA and siteB setup using the SDM Wizard.

The problem we have is if we create any incoming NAT rules like the following -
At SiteA incoming NAT rule for SMTP to 192.168.0.1
Then from SiteB no-one can connect to SMTP at 192.168.0.1

This is the same for any NAT rule I create coming into SiteA then becomes unavailable for SiteB users.  Why is this?  What can I do about it?

Thankyou


0
Comment
Question by:nmxsupport
  • 5
  • 5
10 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24397632
You can exclude the servers from NAT when talking to the SiteB subnet.

For example:

conf t
ip access-list ext static-no-nat
deny ip any 192.168.x.0 0.0.0.255   <--site B subnet
permit ip any any

route-map static-no-nat permit 10
 match ip address static-no-nat

no ip nat inside source static tcp 192.168.0.1 25 x.x.x.x 25
ip nat inside source static tcp 192.168.0.1 25 x.x.x.x 25 route-map static-no-nat
0
 

Author Comment

by:nmxsupport
ID: 24397778
Unfortunately it looks like the 800 series routers may not support the "route-map" command
I tried but it said % invalid input at the "route-map" command
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24397795
The route-map on the static NAT statement or just adding the route-map?
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 

Author Comment

by:nmxsupport
ID: 24403074
It was the route-map on the static NAT statement
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24404503
Yeah, figured, you'll need to upgrade for it to work.  Can you post a "show version"?
0
 

Author Comment

by:nmxsupport
ID: 24410116
I found out the route-map command is not valid with my static IP addresses with the following line
ip nat inside source statip tcp 192.168.1.1 25 interface Dialer0 25
but will work with the following
ip nat inside source static tcp 192.168.1.1 25 81.201.22.11 25  
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24411070
Yeah, sorry, should have mentioned.  I assumed you were specifying an IP address.  Does it take care of the issue using that config?
0
 

Author Comment

by:nmxsupport
ID: 25550260
I have overlooked this issue I will have another go if JFrederick29 is still available to assist?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 25550395
Yep, I am available.  Let me know if that config works.
0
 

Author Comment

by:nmxsupport
ID: 25685846
Yes worked fine thankyou.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question