steveredman
IS-IT--Management
Hello,
I have an 1801 router with a NAT rule to direct traffic from the inside networks (10.0.0.0/24 and 10.1.0.0/24) to the outside interface dialer0 (91.x.x.142):-
ip nat inside source list 100 interface Dialer0 overload
and
access-list 100 deny ip any 10.2.0.0 0.0.0.255
access-list 100 deny ip host 10.0.0.5 any
access-list 100 deny ip host 10.0.0.6 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 deny ip any any log
10.2.0.0/24 is the network used by VPN clients that connect in to the router's VPN server. 10.0.0.5 and 10.0.0.6 need to route out (using NAT) via a different address, as per below:-
ip nat pool mail-141 91.x.x.141 91.x.x.141 netmask 255.255.255.248 (creates a pool with only the external address required)
ip nat inside source list 151 pool mail-141
and
access-list 151 deny ip any 10.2.0.0 0.0.0.255
access-list 151 permit ip host 10.0.0.5 any
access-list 151 permit ip host 10.0.0.6 any
access-list 151 deny ip any any log
This all seems to work at first, the 10.0.0.5 and 10.0.0.6 traffic goes out translated to the 91.x.x.141 address and all other hosts get translated to the 91.x.x.142 address. The problem comes when connected via a VPN tunnel to the router. I am able to ping all hosts on the network including 10.0.0.6, however when trying to ping 10.0.0.5 my replies come back from 91.x.x.141!
I have read some information regarding NAT rules but am unable to understand why these packets choose to disobey access-list 151 and go straight through translation to the 10.2.0.0/24 network!
Any help on this would be greatly appreciated.
Steve
I have an 1801 router with a NAT rule to direct traffic from the inside networks (10.0.0.0/24 and 10.1.0.0/24) to the outside interface dialer0 (91.x.x.142):-
ip nat inside source list 100 interface Dialer0 overload
and
access-list 100 deny ip any 10.2.0.0 0.0.0.255
access-list 100 deny ip host 10.0.0.5 any
access-list 100 deny ip host 10.0.0.6 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 deny ip any any log
10.2.0.0/24 is the network used by VPN clients that connect in to the router's VPN server. 10.0.0.5 and 10.0.0.6 need to route out (using NAT) via a different address, as per below:-
ip nat pool mail-141 91.x.x.141 91.x.x.141 netmask 255.255.255.248 (creates a pool with only the external address required)
ip nat inside source list 151 pool mail-141
and
access-list 151 deny ip any 10.2.0.0 0.0.0.255
access-list 151 permit ip host 10.0.0.5 any
access-list 151 permit ip host 10.0.0.6 any
access-list 151 deny ip any any log
This all seems to work at first, the 10.0.0.5 and 10.0.0.6 traffic goes out translated to the 91.x.x.141 address and all other hosts get translated to the 91.x.x.142 address. The problem comes when connected via a VPN tunnel to the router. I am able to ping all hosts on the network including 10.0.0.6, however when trying to ping 10.0.0.5 my replies come back from 91.x.x.141!
I have read some information regarding NAT rules but am unable to understand why these packets choose to disobey access-list 151 and go straight through translation to the 10.2.0.0/24 network!
Any help on this would be greatly appreciated.
Steve