Hello,
I follow IPSec instructions to configure the Router successfully:
And configured the PAT successfully:
But If I combine two demos together. The host behind the NAT cannot ping the remote host.
It will show U symbol ( I guess this means is unreachable ) unless I erase the NAT command ( no ip nat inside source list 1 interface gi0/0 overload ).
Is there any extra command I have to configure? If so, can you please explain why?
Many Thanks,
Hello Yu Chin
It really depends on your topology and on the location at which you have applied NAT. Are you attempting to have the tunnel traverse NAT (in which case you will need to use NAT Traversal) or are you applying NAT at one of the two sites being connected over the VPN? Can you give us some more information about your setup so we can help you further? You might find some of the following links useful as well:
I hope this has been helpful!
Laz
Hello Laz,
Thanks for the quick response.
I did some search on Google. And I changed the ACL for the NAT.
I used the command as below before:
R1:
access-list 1 permit 172.18.1.0 0.0.0.255
ip nat inside source list 1 interface gi 0/0 overload
R3:
access-list 1 permit 172.18.3.0 0.0.0.255
ip nat inside source list 1 interface gi 0/0 overload
And I changed the ACL:
R1:
access-list 101 deny ip 172.18.1.0 0.0.0.255 172.18.3.0 0.0.0.255
access-list 101 permit ip 172.18.1.0 0.0.0.255 any
ip nat inside source list 101 interface gi 0/0 overload
R3:
access-list 101 deny ip 172.18.3.0 0.0.0.255 172.18.1.0 0.0.0.255
access-list 101 permit ip 172.18.3.0 0.0.0.255 any
ip nat inside source list 101 interface gi 0/0 overload
I didn’t change anything for the configure of IPSEC.
Then that’s worked! Looks like I have to deny LAN users use NAT when the destination IP addresses belong IPSEC remote LAN because it should through IPSEC.
Is that correct?
Hello Yu Chin
That looks good! Thanks for sharing your solution!
Laz
