I originally had:
ip nat inside source list 35 interface Ethernet0/1 overload
access-list 35 permit 192.168.38.0 0.0.0.255
This nats everything from the 38 subnet which is basically everything. We needed to stop nating packets destined for the vpn but keep nating everything else
Marty created a new access list that says to deny (not really deny, just not nat) anything going thru the vpn and lets everything else go thru (get nated)
ip nat inside source list 150 interface Ethernet0/1 overload
access-list 150 deny ip 192.168.38.0 0.0.0.255 192.168.47.0 0.0.0.255
access-list 150 permit ip 192.168.38.0 0.0.0.255 any
Access list 35 should be removed from config since it is not being used anymore, but I haven't done it yet.
On the Shamrock side, Marty added a line that did the same thing, only in PIX lingo:
nat (inside) 0 access-list crypto-sham <-- this was added to not nat the vpn traffic nat (inside) 1 0.0.0.0 0.0.0.0 0 0 <-- this was already here to nat everything
access-list crypto-sham permit ip 192.168.47.0 255.255.255.0 192.168.38.0 255.255.255.0
No comments:
Post a Comment