This lab example is where NAT and VPN is enabled on the same interface and both must be usable.
ip access-list extended NAT
permit ip 10.1.0.0 0.0.255.255 any
interface g0/1
ip nat inside
!
interface g0/0
ip nat outside
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
IOSv14#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/26 ms
IOSv14#ping 10.18.21.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.18.21.21, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
IOSv14#ping 10.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 103.0.0.3:628 10.1.14.14:628 10.3.11.3:628 10.3.11.3:628
icmp 103.0.0.3:629 10.1.14.14:629 1.1.1.1:629 1.1.1.1:629
icmp 103.0.0.3:630 10.1.14.14:630 10.1.4.4:630 10.1.4.4:630
icmp 103.0.0.3:631 10.1.14.14:631 10.18.21.21:631 10.18.21.21:631
The reason why the pings are failing when they were previously working is due to the order of operations a router go through, route, then NAT then encyption. The issue is that the router is trying to NAT the traffic when it should not be. The fix is to add deny statements to the NAT ACL.
ip access-list extended NAT
1 deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
2 deny ip 10.1.0.0 0.0.255.255 10.18.21.0 0.0.0.255
3 deny ip 10.1.0.0 0.0.255.255 10.8.18.0 0.0.0.255
4 deny ip 10.1.0.0 0.0.255.255 10.10.20.0 0.0.0.255
5 deny ip 10.1.0.0 0.0.255.255 10.20.23.0 0.0.0.255
IOSv14#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/36/54 ms
IOSv14#ping 10.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/68/108 ms
IOSv14#ping 10.18.21.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.18.21.21, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 63/65/68 ms
IOSv14#ping 10.8.18.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.18.18, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/42/69 ms
IOSv14#ping 10.10.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 37/45/59 ms
IOSv14#ping 10.20.23.23
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.23.23, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 38/47/66 ms
R3#show ip access-lists NAT
Extended IP access list NAT
1 deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255 (18 matches)
2 deny ip 10.1.0.0 0.0.255.255 10.18.21.0 0.0.0.255 (5 matches)
3 deny ip 10.1.0.0 0.0.255.255 10.8.18.0 0.0.0.255 (5 matches)
4 deny ip 10.1.0.0 0.0.255.255 10.10.20.0 0.0.0.255 (5 matches)
5 deny ip 10.1.0.0 0.0.255.255 10.20.23.0 0.0.0.255 (5 matches)
10 permit ip 10.1.0.0 0.0.255.255 any (44 matches)
ip access-list extended NAT
permit ip 10.1.0.0 0.0.255.255 any
interface g0/1
ip nat inside
!
interface g0/0
ip nat outside
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
IOSv14#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/26 ms
IOSv14#ping 10.18.21.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.18.21.21, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
IOSv14#ping 10.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
R3#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 103.0.0.3:628 10.1.14.14:628 10.3.11.3:628 10.3.11.3:628
icmp 103.0.0.3:629 10.1.14.14:629 1.1.1.1:629 1.1.1.1:629
icmp 103.0.0.3:630 10.1.14.14:630 10.1.4.4:630 10.1.4.4:630
icmp 103.0.0.3:631 10.1.14.14:631 10.18.21.21:631 10.18.21.21:631
The reason why the pings are failing when they were previously working is due to the order of operations a router go through, route, then NAT then encyption. The issue is that the router is trying to NAT the traffic when it should not be. The fix is to add deny statements to the NAT ACL.
ip access-list extended NAT
1 deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255
2 deny ip 10.1.0.0 0.0.255.255 10.18.21.0 0.0.0.255
3 deny ip 10.1.0.0 0.0.255.255 10.8.18.0 0.0.0.255
4 deny ip 10.1.0.0 0.0.255.255 10.10.20.0 0.0.0.255
5 deny ip 10.1.0.0 0.0.255.255 10.20.23.0 0.0.0.255
IOSv14#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 17/36/54 ms
IOSv14#ping 10.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/68/108 ms
IOSv14#ping 10.18.21.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.18.21.21, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 63/65/68 ms
IOSv14#ping 10.8.18.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.18.18, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 31/42/69 ms
IOSv14#ping 10.10.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.20.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 37/45/59 ms
IOSv14#ping 10.20.23.23
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.23.23, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 38/47/66 ms
R3#show ip access-lists NAT
Extended IP access list NAT
1 deny ip 10.1.0.0 0.0.255.255 10.1.4.0 0.0.0.255 (18 matches)
2 deny ip 10.1.0.0 0.0.255.255 10.18.21.0 0.0.0.255 (5 matches)
3 deny ip 10.1.0.0 0.0.255.255 10.8.18.0 0.0.0.255 (5 matches)
4 deny ip 10.1.0.0 0.0.255.255 10.10.20.0 0.0.0.255 (5 matches)
5 deny ip 10.1.0.0 0.0.255.255 10.20.23.0 0.0.0.255 (5 matches)
10 permit ip 10.1.0.0 0.0.255.255 any (44 matches)
