[nsp] VPN + NAT + ISDN = Stumped

Steve Lim limmer at execpc.com
Tue Aug 12 11:06:57 EDT 2003

First of all, I'll like to thank everyone that responded. It's 
working!!!! WOOOOOOOO! A bit of refresher rtfm on route maps + Ejay's 
sample config got me going on track. So, many thanks to Ejay too.

There where eventually 2 seperate issues, and one had to be resolved, 
before the route-map solution can kick in. Issue 1: Who'da thunk 
removing stale crypto policies is a fantastic idea ;) 2: No route-map = 
no worky with NAT.

So, my final config (all else being equal):

ip nat inside source route-map Natpolicy interface Dialer0 overload

access-list 103 deny   ip
access-list 103 permit ip host any
access-list 103 permit ip host any
access-list 103 permit ip host any
access-list 103 permit ip host any

route-map Natpolicy permit 10
  match ip address 103

On a side note, Daryl J had me looking into this. Apparently, The NAT 
statements and Crypto map applied on the BRI interface are automatically 
placed there by the router, after you apply it to the Dialer Int. I'm 
curious to know why, if someone knows.

Ejay Hire wrote:

> Hi Steve.  Aren't VPN's fun?
> Here is what I see.  It looks like your VPN Server's current config
> won't work because you are running NAT for the VPN-able address range.
> Because of this, your Crypto Transform never matches it's Access-list.
> (The source address is going to be whatever IP the Dialer takes)...
> So, here is what I think is the simplest way to fix it.  
> You need to exclude traffic destined for the VPN from NAT.
> ---
> No access-list 103 
> access-list 103 deny ip
> Access-list 103 permit ip any any
> ---
> Alternately, here is how I like to do it if you are going to be adding
> multiple VPN's.  This allows you to only update a single ACL, and you
> don't have to tamper with your NAT ACL.
> ---
> No access-list 103
> Access-list 103 permit ip any any
> Route-map NatPolicy Deny 10
> 	Match ip address 132 (this is the ACL you use for your Crypto
> Map)
> Route-map NatPolicy Permit 10
> 	Match Ip address 103 (This is Permit Any)
> No ip nat inside source 103 interface serial0 overload
> Ip nat inside source route-map NatPolicy interface serial0 overload
> ---
> Let me know if this doesn't work and I'll look again.
> Good Luck,
> Ejay Hire
> Network Engineer (looking for work on the side)
> ejayhire at hotmail.com

Steve Lim - Network Engineer (Michigan)
Corecomm -An ATX Communications Company
Life is a feast, enjoy it while you wait
for desert -limmer

More information about the cisco-nsp mailing list