«

I have a head office with a 2621 router. It's got crypto setup on it so
that our branch office with a 1710 can connect into it.

Our branch office is connected via an ISP to the net. They provided a block
of static IP's to use.

I use nat at the branch office. I use a route-map to get around the Nat
when they connect to our VPN.

This becomes a problem when the users try and make connections out to client
IPSec vpns. They can't make the connection unless I make a static nat
translation for them. When I make the translation, the static nat takes
precedence over the route-map to get to our VPN and they can no longer
connect.

Here are the relevant parts of my branch office config:

ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
255.255.255.248
ip nat inside source route-map nonat interface Ethernet0 overload

If I replace the nat source with the pool, the users can't get to the client
VPN's. If I leave it as is, and put static nats in for each machine, they
can't get to our VPN.

Has anyone ever encountered this situation before?

Mike

"Mikhael47" <> wrote in message
news:f4KZc.23197$ ...
>I have a head office with a 2621 router. It's got crypto setup on it so
> that our branch office with a 1710 can connect into it.
>
> Our branch office is connected via an ISP to the net. They provided a
> block
> of static IP's to use.
>
> I use nat at the branch office. I use a route-map to get around the Nat
> when they connect to our VPN.
>
> This becomes a problem when the users try and make connections out to
> client
> IPSec vpns. They can't make the connection unless I make a static nat
> translation for them. When I make the translation, the static nat takes
> precedence over the route-map to get to our VPN and they can no longer
> connect.
>
> Here are the relevant parts of my branch office config:
>
> ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
> 255.255.255.248
> ip nat inside source route-map nonat interface Ethernet0 overload
>
> If I replace the nat source with the pool, the users can't get to the
> client
> VPN's. If I leave it as is, and put static nats in for each machine, they
> can't get to our VPN.
>
> Has anyone ever encountered this situation before?
>
> Mike
>

Two issues here. First it would be nice if the configuration for the vpn
clients were so that a static was not required. I think later rev's of IOS
support this transparently through nat.

Second, a static will always take presedence over the dynamically created
nat entries. Here is how to fix it.


To fix this, you have to trick the router into handing the packet to an
interface that does not have an ip nat (inside or outside) statement. This
is described in the following url: http://tinyurl.com/3fzlu

Basically, you do the following.

Create a loopback interface without the ip nat statement

interface loopback 0
ip address 1.1.1.1 255.255.255.0

Create an access list to match the traffic that is being inadvertantly
nat'ed

access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255

the host (x.x.x.x) is private ip of the statically natted pair
because nat has not happened yet. y.y.y is your network and
I assumed class c.

Create a route-map to match the traffic and set the next hop out the loop
int.

route-map lanint permit 10
match ip address 199
set ip next-hop 1.1.1.2

I see, setup the policy route map on the internal interface. I hope this
will work on 12.2(7b)

This makes a lot of sense.. It will solve another problem for me too.

Mike

"PES" <NO*SPAMpestewartREMOVE**SUCK S> wrote in message
news:41383a8c$...
>
> "Mikhael47" <> wrote in message
> news:f4KZc.23197$ ...
> >I have a head office with a 2621 router. It's got crypto setup on it so
> > that our branch office with a 1710 can connect into it.
> >
> > Our branch office is connected via an ISP to the net. They provided a
> > block
> > of static IP's to use.
> >
> > I use nat at the branch office. I use a route-map to get around the Nat
> > when they connect to our VPN.
> >
> > This becomes a problem when the users try and make connections out to
> > client
> > IPSec vpns. They can't make the connection unless I make a static nat
> > translation for them. When I make the translation, the static nat takes
> > precedence over the route-map to get to our VPN and they can no longer
> > connect.
> >
> > Here are the relevant parts of my branch office config:
> >
> > ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
> > 255.255.255.248
> > ip nat inside source route-map nonat interface Ethernet0 overload
> >
> > If I replace the nat source with the pool, the users can't get to the
> > client
> > VPN's. If I leave it as is, and put static nats in for each machine,
they
> > can't get to our VPN.
> >
> > Has anyone ever encountered this situation before?
> >
> > Mike
> >
>
> Two issues here. First it would be nice if the configuration for the vpn
> clients were so that a static was not required. I think later rev's of
IOS
> support this transparently through nat.
>
> Second, a static will always take presedence over the dynamically created
> nat entries. Here is how to fix it.
>
>
> To fix this, you have to trick the router into handing the packet to an
> interface that does not have an ip nat (inside or outside) statement.
This
> is described in the following url: http://tinyurl.com/3fzlu
>
> Basically, you do the following.
>
> Create a loopback interface without the ip nat statement
>
> interface loopback 0
> ip address 1.1.1.1 255.255.255.0
>
> Create an access list to match the traffic that is being inadvertantly
> nat'ed
>
> access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255
>
> the host (x.x.x.x) is private ip of the statically natted pair
> because nat has not happened yet. y.y.y is your network and
> I assumed class c.
>
> Create a route-map to match the traffic and set the next hop out the loop
> int.
>
> route-map lanint permit 10
> match ip address 199
> set ip next-hop 1.1.1.2
>
>
>

Question, why does the next hop have to be set to 1.1.1.2 ?

Mike

"PES" <NO*SPAMpestewartREMOVE**SUCK S> wrote in message
news:41383a8c$...
>
> "Mikhael47" <> wrote in message
> news:f4KZc.23197$ ...
> >I have a head office with a 2621 router. It's got crypto setup on it so
> > that our branch office with a 1710 can connect into it.
> >
> > Our branch office is connected via an ISP to the net. They provided a
> > block
> > of static IP's to use.
> >
> > I use nat at the branch office. I use a route-map to get around the Nat
> > when they connect to our VPN.
> >
> > This becomes a problem when the users try and make connections out to
> > client
> > IPSec vpns. They can't make the connection unless I make a static nat
> > translation for them. When I make the translation, the static nat takes
> > precedence over the route-map to get to our VPN and they can no longer
> > connect.
> >
> > Here are the relevant parts of my branch office config:
> >
> > ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
> > 255.255.255.248
> > ip nat inside source route-map nonat interface Ethernet0 overload
> >
> > If I replace the nat source with the pool, the users can't get to the
> > client
> > VPN's. If I leave it as is, and put static nats in for each machine,
they
> > can't get to our VPN.
> >
> > Has anyone ever encountered this situation before?
> >
> > Mike
> >
>
> Two issues here. First it would be nice if the configuration for the vpn
> clients were so that a static was not required. I think later rev's of
IOS
> support this transparently through nat.
>
> Second, a static will always take presedence over the dynamically created
> nat entries. Here is how to fix it.
>
>
> To fix this, you have to trick the router into handing the packet to an
> interface that does not have an ip nat (inside or outside) statement.
This
> is described in the following url: http://tinyurl.com/3fzlu
>
> Basically, you do the following.
>
> Create a loopback interface without the ip nat statement
>
> interface loopback 0
> ip address 1.1.1.1 255.255.255.0
>
> Create an access list to match the traffic that is being inadvertantly
> nat'ed
>
> access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255
>
> the host (x.x.x.x) is private ip of the statically natted pair
> because nat has not happened yet. y.y.y is your network and
> I assumed class c.
>
> Create a route-map to match the traffic and set the next hop out the loop
> int.
>
> route-map lanint permit 10
> match ip address 199
> set ip next-hop 1.1.1.2
>
>
>

Nevermind, I got it.. ehhe.. works flawlessly.

Thanks all

Mike
"Mikhael47" <> wrote in message
news:K10_c.26233$ ...
> I see, setup the policy route map on the internal interface. I hope this
> will work on 12.2(7b)
>
> This makes a lot of sense.. It will solve another problem for me too.
>
> Mike
>
> "PES" <NO*SPAMpestewartREMOVE**SUCK S> wrote in
message
> news:41383a8c$...
> >
> > "Mikhael47" <> wrote in message
> > news:f4KZc.23197$ ...
> > >I have a head office with a 2621 router. It's got crypto setup on it
so
> > > that our branch office with a 1710 can connect into it.
> > >
> > > Our branch office is connected via an ISP to the net. They provided a
> > > block
> > > of static IP's to use.
> > >
> > > I use nat at the branch office. I use a route-map to get around the
Nat
> > > when they connect to our VPN.
> > >
> > > This becomes a problem when the users try and make connections out to
> > > client
> > > IPSec vpns. They can't make the connection unless I make a static nat
> > > translation for them. When I make the translation, the static nat
takes
> > > precedence over the route-map to get to our VPN and they can no longer
> > > connect.
> > >
> > > Here are the relevant parts of my branch office config:
> > >
> > > ip nat pool scottsdale xxx.xxx.xxx.171 xxx.xxx.xxx.174 netmask
> > > 255.255.255.248
> > > ip nat inside source route-map nonat interface Ethernet0 overload
> > >
> > > If I replace the nat source with the pool, the users can't get to the
> > > client
> > > VPN's. If I leave it as is, and put static nats in for each machine,
> they
> > > can't get to our VPN.
> > >
> > > Has anyone ever encountered this situation before?
> > >
> > > Mike
> > >
> >
> > Two issues here. First it would be nice if the configuration for the
vpn
> > clients were so that a static was not required. I think later rev's of
> IOS
> > support this transparently through nat.
> >
> > Second, a static will always take presedence over the dynamically
created
> > nat entries. Here is how to fix it.
> >
> >
> > To fix this, you have to trick the router into handing the packet to an
> > interface that does not have an ip nat (inside or outside) statement.
> This
> > is described in the following url: http://tinyurl.com/3fzlu
> >
> > Basically, you do the following.
> >
> > Create a loopback interface without the ip nat statement
> >
> > interface loopback 0
> > ip address 1.1.1.1 255.255.255.0
> >
> > Create an access list to match the traffic that is being inadvertantly
> > nat'ed
> >
> > access-list 199 permit ip host x.x.x.x y.y.y.0 0.0.0.255
> >
> > the host (x.x.x.x) is private ip of the statically natted pair
> > because nat has not happened yet. y.y.y is your network and
> > I assumed class c.
> >
> > Create a route-map to match the traffic and set the next hop out the
loop
> > int.
> >
> > route-map lanint permit 10
> > match ip address 199
> > set ip next-hop 1.1.1.2
> >
> >
> >
>
>