RVS4000 and NAT

Just recently bought a RVS4000 to take the place of an old NetGear FVS336, who took in charge of multiple translations of NAT. It seems that the RVS4000 does not support this, other models in the line of small business support this? I only need this for a backup Internet connection so I'm not really looking to go crazy with the cost.

I would recommend the RV220w. It's a wireless router, however, you can disable the wireless radio if it's something you don't need. It will allow individuals NAT and LAN gigabit ports. Here is a link to the interface.

http://www.Cisco.com/Web/SBTG/gui_mockups/RV220W_v1/home.htm

Blake

Tags: Cisco Support

Similar Questions

client ipSec VPN and NAT on the router Cisco = FAIL

I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.

ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.

Suggestions?

crypto ISAKMP policy 3

BA 3des

preshared authentication

Group 2

!

ISAKMP crypto client configuration group myclient

key password!

DNS 1.1.1.1

Domain name

pool myVPN

ACL 111

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

!

Crypto-map dynamic dynmap 10

Set transform-set RIGHT

market arriere-route

!

!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!

interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interface

IP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1

/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45

!

IP local pool myVPN 10.88.0.2 10.88.0.10

p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!

IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255

Hello

I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool

For example, to do this kind of configuration, ACL and NAT

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.0.255 ay

overload of IP nat inside source list 100 interface GigabitEthernet0/0

EDIT: seem to actually you could have more than 10 networks behind the router

Then you could modify the ACL on this

Note access-list 100 NAT0 customer VPN

access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255

Note access-list 100 default PAT for Internet traffic

access-list 100 permit ip 10.0.1.0 0.0.255.255 ay

Don't forget to mark the answers correct/replys and/or useful answers to rate

-Jouni

Cisco ASA Site to Site VPN IPSEC and NAT question

Hi people,

I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

Just an example:

N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

Grateful if someone can shed some light on this subject.

Hello

OK so went with the old format of NAT configuration

It seems to me that you could do the following:
- Configure the ASA1 with static NAT strategy
  - access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
- Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
- If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
- ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
  - Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
  - the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
  - NAT (inside) 0-list of access to the INTERIOR-SHEEP
- You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
  - ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
  - ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0
I could test this configuration to work tomorrow but I would like to know if it works.

Please rate if this was helpful

-Jouni

VPN IPSec with no. - Nat and Nat - No.

On a 6.3 (5) PIX 515 that I currently have an IPSec VPN configured with no. - nat, using all public IPs internally and on the remote control. Can I add two hosts to the field of encryption that have private IP addresses and NAT to the same public IP in the address card Crypto? What commands would be involved in this?

Current config:

-------

ipsectraffic_boston list of allowed access host ip host PublicIP11 PublicIP1

ipsectraffic_boston list of allowed access host ip host PublicIP22 PublicIP2

outside2_outbound_nat0_acl list of allowed access host ip host PublicIP PublicIP

card crypto mymap 305 correspondence address ipsectraffic_boston
mymap 305 peer IPAdd crypto card game.
mymap 305 transform-set ESP-3DES-SHA crypto card game
life card crypto mymap 305 set security-association seconds 86400 4608000 kilobytes

---------

I would add two IP private to the 'ipsectraffic_boston access-list' and have NAT to a public IP address, as the remote site asks that I don't use the private IP. This would save the effort to add a public IP address to my internal host.

Thank you

Dan

Hello

If for example you have an internal host 192.168.1.1 and you want NAT public IP 200.1.1.1 it address

You can make a static NAT:

(in, out) static 200.1.1.1 192.168.1.1

And include the 200.1.1.1 in crypto ACL.

Federico.

(semi-urgente) RVS4000 and multiples (same port) NAT'ing

Hello-

I have a customer who has an Internet connection and 2 SMTP servers internal different. Is there a way to NAT public mail/SMTP for each of them? We have two periods of public inquiry.

Thank you

Hello Jeff,.

Unfortunately the RVS4000 does not support one to one NAT. This limits the router to only be able to use one of the IP addresses that you have.

If you are interested in a router that supports this feature, I recommend one of the following conditions:

RV042

RV120W

RV220W

Site to another with RVS4000 and 2621

Hey people. I had originally a vpn site-to site between my pix 515e and RVS4000, but I wanted to put my router on the edge of my network for greater control of the quality of Service. I have managed to set up the tunnel, but can not pass all traffic to the tunnel. The RVS4000 said the tunnel is mounted, and when I do a "isakmp crypto to show his" on the 2621, I see a QM_IDLE which I think it's good.

My architecture is:

LAN - RVS4000 (public static ip) - internet - 2621 (public dynamic IP (dhcp ()) - LAN

Here's a copy of my config 2621. My guess is I left something, but can't put my finger on. Any help is appreciated. Thank you!

version 12.3

horodateurs service debug datetime msec

Log service timestamps datetime msec

encryption password service

!

hostname core_router

!

boot-start-marker

boot-end-marker

!

!

No aaa new-model

IP subnet zero

IP cef

!

!

IP domain name craig.net

8.8.8.8 IP name-server

IP-server names 8.8.4.4

!

IP multicast routing

Max-events of po verification IP 100

!

!

!

!

voip phone service

Fax transmission protocol g711ulaw

H323

SIP

!

!

!

!

!

!

!

!

!

password username privilege 15 7 XXXXXXXXXXX craigrobertlee

--More-- !

!

property intellectual ssh time 60

property intellectual ssh source interface FastEthernet0/1

property intellectual ssh craigkey name of the rsa key pair

!

class-map correspondence-everything VOIP_TRAFFIC

game group-access 101

!

!

Policy-map VOIP_POLICY

class VOIP_TRAFFIC

bandwidth 1000

class class by default

Fair/fair-queue

!

!

!

crypto ISAKMP policy 10

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key XXXXXXXX address 174.79.X.X no.-xauth

ISAKMP crypto keepalive 2800

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac SET1

!

Crypto map ROGERS 10-isakmp ipsec

set of peer 174.79.X.X

set the 60 security association idle time

game of transformation-SET1

match address 102

!

!

!

!

Null0 interface

no ip unreachable

!

interface FastEthernet0/0

DHCP IP address

NAT outside IP

Speed 100

full-duplex

card crypto ROGERS

out of service-policy VOIP_POLICY

!

interface FastEthernet0/1

the IP 192.168.0.1 255.255.255.252

IP nat inside

automatic duplex

automatic speed

!

interface Dialer1

no ip address

No cdp enable

!

overload of IP nat inside source list 100 interface FastEthernet0/0

no ip address of the http server

no ip http secure server

IP classless

IP route 192.168.1.0 255.255.255.0 192.168.0.2

IP route 192.168.2.0 255.255.255.0 192.168.0.2

IP route 192.168.3.0 255.255.255.0 192.168.0.2

!

!

access-list 10 permit 192.168.1.254

access-list 11 allow 192.168.1.10

access-list 12 allow 192.168.0.0 0.0.255.255

Note access-list 12 SSH_ACL

access-list 100 permit ip 192.168.0.0 0.0.255.255 everything

Access-list 100 Craig_Home_IP_Network note

access-list 101 permit udp any eq 5060 any eq 5060

Note access-list 101 VOIP_ACL

access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

Note access-list 102 ROGERS_IP_NETWORK

access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255

access-list 110 permit ip 192.168.0.0 0.0.3.255 all

not run cdp

!

sheep allowed 10 route map

corresponds to the IP 110

!

craighome1 RO 11 SNMP-server community

location of Server SNMP Gear closet

Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start

Enable SNMP-Server intercepts ATS

Server enable SNMP traps xgcp

Server enable SNMP traps ISDN call-information

Server enable SNMP traps ISDN layer2

-More - Server enable snmp traps ISDN chan-not-available

Server enable SNMP traps ISDN ietf

Server enable SNMP traps hsrp

config SNMP-server enable traps

entity of traps activate SNMP Server

Server enable SNMP traps config-copy

Server enable SNMP traps envmon

Server enable SNMP traps bgp

Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change

Server enable SNMP traps ipmulticast

Server enable SNMP traps msdp

SNMP Server enable rsvp traps

SNMP traps-frame relay enable server

Server enable SNMP traps subif frame relay

Server enable SNMP traps rtr

Server enable SNMP traps syslog

SNMP enable traps stun Server

Server enable SNMP traps dlsw

Server enable SNMP traps bstun

SNMP-Server enable traps dial

Server enable SNMP traps dsp registered card

Server enable SNMP traps atm subif

-More - Server enable snmp traps pppoe

Server enable SNMP traps ipmobile

SNMP-Server enable traps isakmp policy add

Server enable SNMP traps isakmp policy delete

Server enable SNMP traps isakmp tunnel beginning

Server enable SNMP traps isakmp tunnel stop

SNMP server activate ipsec cryptomap add traps

SNMP server activate ipsec cryptomap remove traps

SNMP server activate ipsec cryptomap attach traps

SNMP server activate ipsec cryptomap detach traps

Server SNMP traps enable ipsec tunnel beginning

SNMP-Server enable traps stop ipsec tunnel

Enable SNMP-server holds too many associations of ipsec security

traps to enable SNMP-server voice poor-qov

Enable SNMP-Server intercepts dnis

SNMP-server host 192.168.1.10 version 2 c craighome1

!

!

!

!

!

Line con 0

local connection

-More - line to 0

line vty 0 4

access-class 12

exec-timeout 0 0

local connection

entry ssh transport

line vty 5 15

access-class 12

exec-timeout 0 0

local connection

entry ssh transport

!

NTP-period clock 17180394

Server NTP 192.43.244.18

!

end

Hi Robert,.

You use the ACL 100 to NAT when you use ACL 110 or route card sheep, it seems that you wanted to work around NAT, but I forgot to apply it.

That's what you have:

overload of IP nat inside source list 100 interface FastEthernet0/0

That's what you should get instead:

overload of IP nat inside source list 110 interface FastEthernet0/0

or

IP nat inside source map route sheep interface FastEthernet0/0 overload

Have fun

Raga

Windows 7 Embedded - routing and NAT functions

Hi all

I am about to install a Windows Embedded solution in a material that has a built-in switch.

This material will be essentially two different networks, LAN (integrated switch) and WAN (independent ethernet port). (Please note, WAN in this case is not the internet, it's another network with a different subnet, where the only link is this Windows machine)

I need to know if it is possible to activate the functions of routing in Windows Embedded 7 much in the same way, you can do in Windows 7 Ultimate:
Reference-> wikihow com/Enable-IP-routing

The main objective is to be able to activate the NAT function where I can the port before any requests from the network individuals of the ports in the LAN or WAN IP.

I have attached an explanatory diagram of what I need, I hope is clear, I'm not very good in this kind of drawing diagrams...

Hope someone can help me in this.

This issue is beyond the scope of this site and must be placed on Technet or MSDN

http://social.technet.Microsoft.com/forums/en-us/home

http://social.msdn.Microsoft.com/forums/en-us/home

Split of static traffic between the VPN and NAT

Hi all

We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...

The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

I have the following Setup (tried to have just the neccessarry lines)...

interface GigabitEthernet2

address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

address IP X.X.X.X 255.255.255.0 secondary

NAT outside IP

card crypto ipsec-map-S2S

interface GigabitEthernet4.2020

Description 2020

encapsulation dot1Q 2020

IP 10.160.8.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP nat inside source list interface NAT-output GigabitEthernet2 overload

IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

NAT-outgoing extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 all eq www

permit tcp host 10.160.8.5 any eq 443

No. - NAT extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

allow an ip

route No. - NAT allowed 10 map

corresponds to the IP no. - NAT

With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)

If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).

Thank you!

Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

NAT-outgoing extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

No. - NAT extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

allow an ip

Doc:

Router to router IPSec with NAT and Cisco Secure VPN Client overload

Thank you

Brendan

ASA firewall and Nat

Hi to everyone.

I have a firewall asa with the external interface pointing to a router on the subnet 192.168.1.0

And the inside of the 192.168.0.0 subnet interface

I want to know if is required to configure the Nat object between the two interface or is not a prerequisite to have connectivity to the Internet behind the asa in the LAN segment

Thank you all!

Hello

It is not necessary to configure the NAT on the SAA, providing your gateway router knows how to route the packets intended for your home network and routers NAT ACL can be configured to include your home subnet.

If you have a router in bridge base that can not configure static routes or dynamic routing and cannot have its edited NAT policy, then you need to configure NAT on the SAA.

see you soon,

SEB.

DynDNS and NAT

Hello

Being new in the Cisco field, the notement in CLI, I have two small problem that may be related.

The LUN DDNS update is not done and not of the NAT doesn't work, someone could maybe help me

Here is the config of the CISCO881-K9

!
!
!
!
IP dhcp dns update both
no ip bootp Server
no ip domain search
IP domain name dyndns.org
8.8.8.8 IP name-server
IP ddns update dyndns method
DDNS
!
IP ddns update method wellmess6780_dyndns
HTTP
Add http://MyLogin: [email protected] / * //nic/updatesystem=dyndns&hostnam e =& myip =
remove http://MyLogin: [email protected] / * //nic/updatesystem=dyndns&host name =& myip =
maximum interval 0 0 30 0
minimum interval 0 0 30 0
!
DHCP-client update dns server IP times
IP cef
No ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ164091N8
!
!
username privilege 15 secret 4 thierry hxs3I1G5/VfWpIztplmqsbnfWy7MCP3fSM9VloHus 9 q
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
LAN description
no ip address
!
interface FastEthernet1
LAN description
no ip address
!
interface FastEthernet2
LAN description
no ip address
!
interface FastEthernet3
LAN description
no ip address
!
interface FastEthernet4
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
!
interface Vlan1
Description $FW_INSIDE$
192.168.16.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Dialer1
IP ddns update hostname wellmess6780.dyndns.org
IP ddns update wellmess6780_dyndns
the negotiated IP address
no ip redirection
no ip unreachable
no ip proxy-arp
IP mtu 1492
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
PPP authentication chap callin pap
PPP chap hostname [email protected] / * /
PPP chap password 7 01125F575611505C38
PPP ipcp dns request
No cdp enable
!
default IP gateway - 192.168.16.254
IP forward-Protocol ND
no ip address of the http server
IP 8088 http port
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source static tcp 192.168.16.99 80 80 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 21 21 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 Dialer1 1433 1433 interface
IP nat inside source static tcp 192.168.16.99 3389 3389 Dialer1 interface
IP nat inside source static tcp 192.168.16.99 Dialer1 3160 3160 interface
overload of IP nat inside source list 100 interface Dialer1
IP route 0.0.0.0 0.0.0.0 FastEthernet4
IP route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access ip-list 100 permit a whole
not run cdp
!
!
!
Line con 0
local connection
line to 0
line vty 0 4
access-class 23 in
privilege level 15
local connection
transport input telnet ssh
!
!
end

Hello

no ip route 0.0.0.0 0.0.0.0 FastEthernet4

no access ip-list 100 permit a whole

Kind regards.

Alain

Remember messages useful rate.

By PAT and NAT VPN

We have a place where you want to set up a tunnel VPN to our headquarters.

In this place, there is a router that PAT (NAT overloading), and then a few jumps more, there is a firewall that makes the NAT.

Is this could pose a problem for the VPN tunnel?

Here's a "pattern" of what looks like the connection.

Customer--> PAT - router-->--> Internet--> CVPN3005 NAT firewall

I hope you can provide me with an answer.

VPN tunnel will not work in your scenario. NAT second change address and the ports you want to use for the vpn tunnel. So the port 500 wil be translated to top port and will be rejected at HQ.

VRF aware IPSEC and NAT

Hello world.

I ' am having a Hub router and 2 routers Spoke with LAN - IP - address range overlap.

->-10.47.1.0/24 routerA

/

172.16.1.0 - VRFR

\

-> RouterB-10.47.1.0/24

I use road maps to get the different local host for the VRF different side of the hub (no problem)

I use the VRF aware IPSEC functionality to get to the different networks - talk without nat (no problem)

My main question is that I have to do nat on the router HUB - I need to translate the host on the HUB - local LAN IP-addresses defined by the different LAN talk Administraors.

These NAT-ranges may be different / might overlap for the different VRF.

My problem is that I have no idea how to do to get NAT traffic ' ed correctly (after the road-map, before IPSEC).

If you have an idea / if you solved the problem

-I would be grateful for a hint of /Clue / THE Solution.

Thanks in advance

Jarle

Hi Nelly,

I finally found a router to test on it. I'm still trying to make it work with a single site without NAT. Without success so far, the card encryption is not triggered.

Question: what this line do exactly? IP route vrf VRF1 10.47.2.0 255.255.255.0 200.200.200.1 global

I guess that's only in the anticipation of your originating stuff.

In a NAT environment, no, do you still need an ip route vrf command?

What is the result of your sh ip vrf interface?

Is this ok for the vrf to be associated only to the loopback interface?

No clue on how to solve this?

Regarding your last comment, your crypto card should be ok. Packets are translated before being treated by the encryption engine. See the link

http://www.Cisco.com/warp/public/556/5.html

I would try

interface Ethernet0/0

IP nat inside

interface Ethernet1/0

NAT outside IP

IP nat inside source static network 10.47.1.0 10.47.2.0/24 VRF1 vrf

Thank you

Michel

RVS4000 and DHCP address

I have Version: V2.0.0.3 2 RVS4000 that acquire their IP address via dhcp from comcast.

They work very well on sites but when I look at the status, the two report that addresses IP is 10.1.10.x range and it is not a comcast address.

I guess that it would not be a problem, except that it tells DynDNS.org 10.1.10.x nonrouting is its address and it is hardcoded in the IPSec to Setup so I can't get a working VPN to connect to a site 3rd (with static IP address).

Someone help greatly appreciated.

Hello

Comcast needs to move their device a bridged mode and give you the public IP address on the RVS4000

I had this happens a lot and it requires just a simple phone call to the Comcast support desk

I hope this helps

PIX of migration of AAS and Nat-control

If I disable Nat-control, does that mean that incoming traffic via my external interface to a routable subnet on a DMZ is not subject to the stateful inspection?

Hi Jim

No it's not. You should always allow traffic with access lists, and when a connection is made from the outside to the demilitarized zone, it will always automatically be entered in the status table.

NAT and stateful inspection are 2 different things.

HTH

Jon

Tunnel VPN and NAT

Hello. I'm creating a tunnel VPN IPSec LAN - to - LAN of my ASA5510 to another network but met an obstacle bit. My counterpart on the other side has informed me that he already has a VPN tunnel to another company that has the same IP range as my network(10.100.16.0 /24) and can not create the tunnel.

I was wondering is it possible to use NAT on the VPN tunnel so that traffic that goes from my network over the VPN tunnel gets translated and my counterpart on the other side sees this reflects the range of IP addresses?

Thanks in advance for any help.

Hello

Yes, you can use the same address you already use for internet access.

Just update your list of access crypto to reflect the new address and to ensure that the third party did the same.

Jon

RVS4000 and NAT

Similar Questions

Maybe you are looking for