Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN and NAT

Reply
Thread Tools

VPN and NAT

 
 
RC
Guest
Posts: n/a
 
      10-05-2006
I'm using a router with the IOS Firewall and its a pretty basic
configuration providing VPN access to Win XP PCs with Cisco's VPN client and
a couple web servers behind the firewall/router.

The problem shows up when the VPN client tries to connect (using the
internal address) to a web server that also has a static translation. It
looks as if the server isn't responding. This occurs on ssl and smtp as
well. The common item is the static translation in the router.

I did a little looking with Ethereal and the server is responding over the
tunnel but the source address is the outside, public, address of the server.
The original request is to the internal address. Like this;
Source destination
192.168.2.2 192.168.1.10
64.123.42.10 192.168.2.2

I'm betting I'm missing something simple. I've included the significant
portions of the config, what did I miss?

The use of a route-map in the NAT was one of my attempts to fix the problem,
it was list 105. The IOS is 12.3(20), and the interface ACLs were removed
for testing.

Thanks
RC

aaa new-model
aaa authentication login useraaa local
aaa authorization network groupaaa local
aaa session-id common

ip subnet-zero
no ip cef

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group VPNclient
key xxxxxxxxxxx
dns 192.168.1.xxx
domain xxxxxxx.xxx
pool vpnpool
acl 120

crypto ipsec transform-set set1 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10
set transform-set set1

crypto map clientmap client authentication list useraaa
crypto map clientmap isakmp authorization list groupaaa
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0/0
description Internet
ip address xxx.xxx.xxx.5 255.255.255.248
ip nat outside
ip inspect Ethernet_0_0 in
full-duplex
crypto map clientmap

interface Ethernet0/1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect Ethernet_0_1 in
full-duplex

ip local pool vpnpool 192.168.2.1 192.168.2.2
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.1.8 443 xxx.xxx.xxx.6 443 extendable
ip nat inside source static tcp 192.168.1.8 25 xxx.xxx.xxx.6 25 extendable
ip nat inside source static tcp 192.168.1.7 443 xxx.xxx.xxx.7 443 extendable
ip nat inside source static tcp 192.168.1.7 80 xxx.xxx.xxx.7 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.4

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10
match ip address 105




--
Posted via a free Usenet account from http://www.teranews.com

 
Reply With Quote
 
 
 
 
RC
Guest
Posts: n/a
 
      10-05-2006
I'm going INSANE......I've tried everything I can think of, route-maps on
the static translations, route-map identifying only the traffic to be
translated and routing that through a loopback interface designated as nat
outside.

I'm still thinking my original config should have worked, PLEASE somebody
make a suggestion, it certainly can't hurt.

"RC" <(E-Mail Removed)> wrote in message
news:45247b5c$0$19605$(E-Mail Removed).. .
> I'm using a router with the IOS Firewall and its a pretty basic
> configuration providing VPN access to Win XP PCs with Cisco's VPN client
> and a couple web servers behind the firewall/router.
>
> The problem shows up when the VPN client tries to connect (using the
> internal address) to a web server that also has a static translation. It
> looks as if the server isn't responding. This occurs on ssl and smtp as
> well. The common item is the static translation in the router.
>
> I did a little looking with Ethereal and the server is responding over the
> tunnel but the source address is the outside, public, address of the
> server. The original request is to the internal address. Like this;
> Source destination
> 192.168.2.2 192.168.1.10
> 64.123.42.10 192.168.2.2
>
> I'm betting I'm missing something simple. I've included the significant
> portions of the config, what did I miss?
>
> The use of a route-map in the NAT was one of my attempts to fix the
> problem, it was list 105. The IOS is 12.3(20), and the interface ACLs were
> removed for testing.
>
> Thanks
> RC
>
> aaa new-model
> aaa authentication login useraaa local
> aaa authorization network groupaaa local
> aaa session-id common
>
> ip subnet-zero
> no ip cef
>
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
>
> crypto isakmp client configuration group VPNclient
> key xxxxxxxxxxx
> dns 192.168.1.xxx
> domain xxxxxxx.xxx
> pool vpnpool
> acl 120
>
> crypto ipsec transform-set set1 esp-3des esp-md5-hmac
>
> crypto dynamic-map dynmap 10
> set transform-set set1
>
> crypto map clientmap client authentication list useraaa
> crypto map clientmap isakmp authorization list groupaaa
> crypto map clientmap client configuration address respond
> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
>
> interface Ethernet0/0
> description Internet
> ip address xxx.xxx.xxx.5 255.255.255.248
> ip nat outside
> ip inspect Ethernet_0_0 in
> full-duplex
> crypto map clientmap
>
> interface Ethernet0/1
> description LAN
> ip address 192.168.1.1 255.255.255.0
> ip nat inside
> ip inspect Ethernet_0_1 in
> full-duplex
>
> ip local pool vpnpool 192.168.2.1 192.168.2.2
> ip nat inside source route-map nonat interface Ethernet0/0 overload
> ip nat inside source static tcp 192.168.1.8 443 xxx.xxx.xxx.6 443
> extendable
> ip nat inside source static tcp 192.168.1.8 25 xxx.xxx.xxx.6 25 extendable
> ip nat inside source static tcp 192.168.1.7 443 xxx.xxx.xxx.7 443
> extendable
> ip nat inside source static tcp 192.168.1.7 80 xxx.xxx.xxx.7 80 extendable
>
> ip classless
>
> ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.4
>
> access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
> access-list 105 permit ip 192.168.1.0 0.0.0.255 any
>
> access-list 120 permit ip 192.168.1.0 0.0.0.255 any
>
> route-map nonat permit 10
> match ip address 105
>
>
>
>
> --
> Posted via a free Usenet account from http://www.teranews.com
>




--
Posted via a free Usenet account from http://www.teranews.com

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
easy vpn IOS - vpn clients cannot acces another network behind nat teodor General Computer Support 0 08-20-2009 11:51 AM
Newbie Question regarding VPN, NAT, remote VPN setup brad Cisco 2 06-15-2007 08:35 PM
VPN on PIX can't work with vpn client behind nat Tomi Cisco 3 05-11-2005 11:43 AM
VPN, from nat without VPN to nat with it Allan Wilson Cisco 1 07-05-2004 10:51 PM
Cisco vpn server enabled / VPN and no-VPN connections mix Elise Cisco 6 05-22-2004 07:55 AM



Advertisments