[c-nsp] Correction: NAT not playing nice with VPN's

[Brian Feeny]

The last config I posted had an error, the ACL I am using on the route 
map that overloads against S0 does in fact exclude traffic to the 
remote VPN, so thats not the problem, its something else going on.  
Correct config is below
-------------


I have a situation where I am NATing all traffic behind a WAN IP 
address using overload.

If the traffic however, is destined for a specific IP address, it needs 
to use a Pool instead, so that each inside host can have a unique IP 
address.  The reason I have route-maps is because this router has 
multiple WAN links, and I am doing NAT behind different WAN IP's and so 
I have to make sure if the traffic goes out a certain WAN link, it gets 
NATed behind that WAN links IP or Pool.

With overload on a single WAN, it all works.  With the below config, 
traffic to 170.97.79.74 uses poolS0 like its suppose to, but the dial 
Vpn's these users are trying to use to connect to 170.97.79.74 are 
failing.  I wanted to see if there is something I am doing wrong here.  
I could have tested more with debugs but the user needed everything 
back into production, so I overloaded everything behind the WAN IP
and that works.

Anyone see why dial Vpn's (esp, etc) would fail when using the pool as 
setup below?

So I set it up like so:

ip nat inside source route-map outS0 interface Serial0 overload
ip nat inside source route-map outS0-2 pool poolS0
ip nat pool poolS0 65.38.20.152 65.38.20.159 netmask 255.255.255.248

ip route 170.97.79.74 255.255.255.255 Serial0

route-map outS0 permit 10
  match ip address localLan
  match interface Serial0
!
route-map outS0-2 permit 10
  match ip address toHudVpn
  match interface Serial0
!
ip access-list extended toHudVpn
  permit ip 10.0.0.0 0.0.0.255 host 170.97.79.74
!
ip access-list extended localLan
  deny   ip host 10.0.0.2 any
  deny   ip 10.0.0.0 0.0.0.255 host 170.97.79.74
  permit ip 10.0.0.0 0.0.0.255 any

Brian