Labels

Nat on a stick - Cisco

Nat on a Stick used mostly when you trying connect to remote computer by a forwarding port
through VPN tunnel, the connection will drop even if there's connectivity to remote computer ( by ICMP packet for example).
 
Why?

The packet from the VPN  tunnel reach the remote station, but because there's a NAT command on the remote router that forward the port we trying to connect, the packet back will perform a NAT, and will not enter to the VPN  tunnel back.

Solution:

The solution is to create a route-map that sent all the traffic back from the local lan to the tunnel, by next hop to a loopback interface that not perform NAT.


Here's the steps:



1. Create a Loopback

    conf t


    int loopback 1002


    ip address 1.1.1.1 255.255.255.252

2. Create access list from lan to VPN lan

    ip access-list ex NO_NAT_VPN
    permit ip 192.168.1.0 0.0.0.255  172.16.0.0 0.0.0.255

3. Next, need to configure a route map

   rotue-map NO_NAT_VPN


   match ip add NO_NAT_VPN
   set ip next hop 1.1.1.2



4. Need to apply the route map on the internal leg

   int vlan 1
   ip policy route-map NO_NAT_VPN

No comments:

Post a Comment