Nat on a stick - Cisco

Nat on a Stick used mostly when you trying connect to remote computer by a forwarding port
through VPN tunnel, the connection will drop even if there's connectivity to remote computer ( by ICMP packet for example).

The packet from the VPN  tunnel reach the remote station, but because there's a NAT command on the remote router that forward the port we trying to connect, the packet back will perform a NAT, and will not enter to the VPN  tunnel back.


The solution is to create a route-map that sent all the traffic back from the local lan to the tunnel, by next hop to a loopback interface that not perform NAT.

Here's the steps:

1. Create a Loopback

    conf t

    int loopback 1002

    ip address

2. Create access list from lan to VPN lan

    ip access-list ex NO_NAT_VPN
    permit ip

3. Next, need to configure a route map

   rotue-map NO_NAT_VPN

   match ip add NO_NAT_VPN
   set ip next hop

4. Need to apply the route map on the internal leg

   int vlan 1
   ip policy route-map NO_NAT_VPN

1 comment: