nb123
Technical User
- Feb 1, 2009
- 1
Hi All, this is my first post at the forum, was hoping someone could help me out!
The following is a brief description of the setup:
Device 1 (LAN Interface q.q.q.q) ---------(LAN)--------- (LAN Interface r.r.r.r) Router 2 (VPN Interface s.s.s.s) ------------(IPSEC VPN)--------------- (VPN Interface t.t.t.t) Cisco Router (LAN Interface u.u.u.u) -----------(LAN) --------- (LAN Interface v.v.v.v) Device 3
We have a VPN setup from s.s.s.s to t.t.t.t at the Cisco Router. Device 1 is transferring images via FTP to Device 3. However, we're using NAT at the Cisco Router so that Device 1 FTP's data to t.t.t.t, which is then translated to Device 3's IP address at v.v.v.v. We've implemented the following NAT rules at the Cisco Router:
ip nat inside source static v.v.v.v t.t.t.t
ip nat outside source static t.t.t.t v.v.v.v
This allows us to administer Device 1 and Router 2 from Device 3 without revealing Device 3's IP address.
However, this causes problems for our VPN connection setup. This is because when s.s.s.s tries to establish a VPN connection over port 500 (ISAKMP) with t.t.t.t, this gets translated by the inside NAT rule on the Cisco router, and the Destination IP address changes to v.v.v.v, so the packet is forwarded to Device 3.
I feel that the 'route-map' command on the Cisco Router is the right way to get around this problem, but I'm unsure about how exactly to configure this and I haven't been successful so far. The route-map should exclude the VPN connection from undergoing NAT, so s.s.s.s will be able to setup the VPN with t.t.t.t, but all traffic from q.q.q.q to t.t.t.t will still be able to undergo NAT so that destination t.t.t.t can be translated to v.v.v.v.
I've tried the following but it doesn't work:
ip nat inside source static v.v.v.v t.t.t.t route-map excludevpn
ip nat outside source static t.t.t.t v.v.v.v
ip access-list extended excludevpnfromnat
deny ip s.s.s.s t.t.t.t
permit ip s.s.s.s v.v.v.v
route-map excludevpn permit 10
match ip address excludevpnfromnat
Is there someway I can perhaps exclude all traffic from s.s.s.s to t.t.t.t from undergoing NAT?
Please help! Thanks
The following is a brief description of the setup:
Device 1 (LAN Interface q.q.q.q) ---------(LAN)--------- (LAN Interface r.r.r.r) Router 2 (VPN Interface s.s.s.s) ------------(IPSEC VPN)--------------- (VPN Interface t.t.t.t) Cisco Router (LAN Interface u.u.u.u) -----------(LAN) --------- (LAN Interface v.v.v.v) Device 3
We have a VPN setup from s.s.s.s to t.t.t.t at the Cisco Router. Device 1 is transferring images via FTP to Device 3. However, we're using NAT at the Cisco Router so that Device 1 FTP's data to t.t.t.t, which is then translated to Device 3's IP address at v.v.v.v. We've implemented the following NAT rules at the Cisco Router:
ip nat inside source static v.v.v.v t.t.t.t
ip nat outside source static t.t.t.t v.v.v.v
This allows us to administer Device 1 and Router 2 from Device 3 without revealing Device 3's IP address.
However, this causes problems for our VPN connection setup. This is because when s.s.s.s tries to establish a VPN connection over port 500 (ISAKMP) with t.t.t.t, this gets translated by the inside NAT rule on the Cisco router, and the Destination IP address changes to v.v.v.v, so the packet is forwarded to Device 3.
I feel that the 'route-map' command on the Cisco Router is the right way to get around this problem, but I'm unsure about how exactly to configure this and I haven't been successful so far. The route-map should exclude the VPN connection from undergoing NAT, so s.s.s.s will be able to setup the VPN with t.t.t.t, but all traffic from q.q.q.q to t.t.t.t will still be able to undergo NAT so that destination t.t.t.t can be translated to v.v.v.v.
I've tried the following but it doesn't work:
ip nat inside source static v.v.v.v t.t.t.t route-map excludevpn
ip nat outside source static t.t.t.t v.v.v.v
ip access-list extended excludevpnfromnat
deny ip s.s.s.s t.t.t.t
permit ip s.s.s.s v.v.v.v
route-map excludevpn permit 10
match ip address excludevpnfromnat
Is there someway I can perhaps exclude all traffic from s.s.s.s to t.t.t.t from undergoing NAT?
Please help! Thanks