XPost: comp.dcom.sys.cisco   
   From: temartin@shtc.net   
      
   I think the following will cover it.   
      
   int loopback1   
      
   ip address 172.16.1.1 255.255.255.0   
      
      
      
   int e0   
      
   ip policy route-map nonat   
      
      
      
   route-map nonat permit 10   
      
    match ip address 120   
      
    set ip next-hop 172.16.1.2   
      
      
      
   access-list 120 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255   
      
      
      
   ip nat inside source list 102 interface e0   
      
      
      
   access-list 102 deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255   
      
   access-list 102 permit ip 192.168.1.0 0.0.0.255 any   
      
      
      
      
      
   where the responding LAN is the 192 address and the 10 address is the   
   initiating address.   
      
      
      
   The idea is to block VPN traffic from the outbound interface  (and NAT) and   
   route it to the loopback. The VPN traffic goes to the loopback, comes back   
   out to the outbound interface and is not recognized as needing NAT.   
      
      
      
   I'm sure this is not the most graceful way to do it but it worked for me.   
      
      
      
      
      
   "Suppa Lamah"  wrote in message   
   news:qjrEb.12707$wM.872385@news1.tin.it...   
   > Tem, this could be the real thing. I didn't use a loopback either,   
   although   
   > I saw it used in Cisco router configurations regarding the same ISP's ADSL   
   > connections, because I could not fully understand its mechanics, so I   
   > decided to stick with the little knowledge I had and to configure my ADSL   
   > with just an ATM0.1 sub-interface.   
   >   
   > Could you please retrieve the example you cited and send me some   
   references?   
   > Thanks in advance.   
   >   
   > Suppa Lamah   
   >   
   >   
   > "TEM"  ha scritto nel messaggio   
   > news:H8qEb.173938$I53.6757801@twister.southeast.rr.com...   
   > > I had a similar problem with a 837 to 804 VPN. The examples that I   
   > followed   
   > > did not include a loopback address on the responding router to bypass   
   the   
   > > NAT translation. If you are also using NAT for internet traffic, you   
   have   
   > to   
   > > use a loopback interface with a "fake" ip and a route map to route   
   > > interesting traffic away from the NAT. I found an example on cisco.com   
   > >   
   > >   
   > > "Suppa Lamah"  wrote in message   
   > > news:6HhEb.9934$wM.695404@news1.tin.it...   
   > > > I successfully (at least I thought so) created an IPSec connection   
   > between   
   > > > two 12.2 IOS Cisco 837-K9.   
   > > >   
   > > > I followed step-by-step several Cisco documents and FAQ, and I had,   
   > after   
   > > > several tries, the IsaKmp SAs up and running, and the traffic   
   correctly   
   > > > routed via NAT or thrown in the VPN tunnel.   
   > > >   
   > > > My PC clients on the separate, private networks (192.168.0.0 and   
   > > > 192.168.1.0) are able to both navigate the Internet via NAT, and ping   
   > the   
   > > > hosts on the other side of the VPN connection. I also checked for   
   known   
   > > MTUs   
   > > > problems, and I can use 15.000 bytes ICMP packets going in and out   
   > without   
   > > > losing any.   
   > > >   
   > > > What I cannot do is... anything else! :)   
   > > >   
   > > > I sees any connection requesting more than a given, short amout of   
   > > resources   
   > > > (cannot tell if a number of open ports is the issue, or, much more   
   > > probable,   
   > > > some timeout on TCP connections) just fails.   
   >   
   >   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)