VPN and NAT

Discussion in 'Cisco' started by RC, Oct 5, 2006.

  1. RC

    RC Guest

    I'm using a router with the IOS Firewall and its a pretty basic
    configuration providing VPN access to Win XP PCs with Cisco's VPN client and
    a couple web servers behind the firewall/router.

    The problem shows up when the VPN client tries to connect (using the
    internal address) to a web server that also has a static translation. It
    looks as if the server isn't responding. This occurs on ssl and smtp as
    well. The common item is the static translation in the router.

    I did a little looking with Ethereal and the server is responding over the
    tunnel but the source address is the outside, public, address of the server.
    The original request is to the internal address. Like this;
    Source destination
    192.168.2.2 192.168.1.10
    64.123.42.10 192.168.2.2

    I'm betting I'm missing something simple. I've included the significant
    portions of the config, what did I miss?

    The use of a route-map in the NAT was one of my attempts to fix the problem,
    it was list 105. The IOS is 12.3(20), and the interface ACLs were removed
    for testing.

    Thanks
    RC

    aaa new-model
    aaa authentication login useraaa local
    aaa authorization network groupaaa local
    aaa session-id common

    ip subnet-zero
    no ip cef

    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2

    crypto isakmp client configuration group VPNclient
    key xxxxxxxxxxx
    dns 192.168.1.xxx
    domain xxxxxxx.xxx
    pool vpnpool
    acl 120

    crypto ipsec transform-set set1 esp-3des esp-md5-hmac

    crypto dynamic-map dynmap 10
    set transform-set set1

    crypto map clientmap client authentication list useraaa
    crypto map clientmap isakmp authorization list groupaaa
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap

    interface Ethernet0/0
    description Internet
    ip address xxx.xxx.xxx.5 255.255.255.248
    ip nat outside
    ip inspect Ethernet_0_0 in
    full-duplex
    crypto map clientmap

    interface Ethernet0/1
    description LAN
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip inspect Ethernet_0_1 in
    full-duplex

    ip local pool vpnpool 192.168.2.1 192.168.2.2
    ip nat inside source route-map nonat interface Ethernet0/0 overload
    ip nat inside source static tcp 192.168.1.8 443 xxx.xxx.xxx.6 443 extendable
    ip nat inside source static tcp 192.168.1.8 25 xxx.xxx.xxx.6 25 extendable
    ip nat inside source static tcp 192.168.1.7 443 xxx.xxx.xxx.7 443 extendable
    ip nat inside source static tcp 192.168.1.7 80 xxx.xxx.xxx.7 80 extendable

    ip classless

    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.4

    access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 105 permit ip 192.168.1.0 0.0.0.255 any

    access-list 120 permit ip 192.168.1.0 0.0.0.255 any

    route-map nonat permit 10
    match ip address 105




    --
    Posted via a free Usenet account from http://www.teranews.com
    RC, Oct 5, 2006
    #1
    1. Advertising

  2. RC

    RC Guest

    I'm going INSANE......I've tried everything I can think of, route-maps on
    the static translations, route-map identifying only the traffic to be
    translated and routing that through a loopback interface designated as nat
    outside.

    I'm still thinking my original config should have worked, PLEASE somebody
    make a suggestion, it certainly can't hurt.

    "RC" <> wrote in message
    news:45247b5c$0$19605$...
    > I'm using a router with the IOS Firewall and its a pretty basic
    > configuration providing VPN access to Win XP PCs with Cisco's VPN client
    > and a couple web servers behind the firewall/router.
    >
    > The problem shows up when the VPN client tries to connect (using the
    > internal address) to a web server that also has a static translation. It
    > looks as if the server isn't responding. This occurs on ssl and smtp as
    > well. The common item is the static translation in the router.
    >
    > I did a little looking with Ethereal and the server is responding over the
    > tunnel but the source address is the outside, public, address of the
    > server. The original request is to the internal address. Like this;
    > Source destination
    > 192.168.2.2 192.168.1.10
    > 64.123.42.10 192.168.2.2
    >
    > I'm betting I'm missing something simple. I've included the significant
    > portions of the config, what did I miss?
    >
    > The use of a route-map in the NAT was one of my attempts to fix the
    > problem, it was list 105. The IOS is 12.3(20), and the interface ACLs were
    > removed for testing.
    >
    > Thanks
    > RC
    >
    > aaa new-model
    > aaa authentication login useraaa local
    > aaa authorization network groupaaa local
    > aaa session-id common
    >
    > ip subnet-zero
    > no ip cef
    >
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    >
    > crypto isakmp client configuration group VPNclient
    > key xxxxxxxxxxx
    > dns 192.168.1.xxx
    > domain xxxxxxx.xxx
    > pool vpnpool
    > acl 120
    >
    > crypto ipsec transform-set set1 esp-3des esp-md5-hmac
    >
    > crypto dynamic-map dynmap 10
    > set transform-set set1
    >
    > crypto map clientmap client authentication list useraaa
    > crypto map clientmap isakmp authorization list groupaaa
    > crypto map clientmap client configuration address respond
    > crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    >
    > interface Ethernet0/0
    > description Internet
    > ip address xxx.xxx.xxx.5 255.255.255.248
    > ip nat outside
    > ip inspect Ethernet_0_0 in
    > full-duplex
    > crypto map clientmap
    >
    > interface Ethernet0/1
    > description LAN
    > ip address 192.168.1.1 255.255.255.0
    > ip nat inside
    > ip inspect Ethernet_0_1 in
    > full-duplex
    >
    > ip local pool vpnpool 192.168.2.1 192.168.2.2
    > ip nat inside source route-map nonat interface Ethernet0/0 overload
    > ip nat inside source static tcp 192.168.1.8 443 xxx.xxx.xxx.6 443
    > extendable
    > ip nat inside source static tcp 192.168.1.8 25 xxx.xxx.xxx.6 25 extendable
    > ip nat inside source static tcp 192.168.1.7 443 xxx.xxx.xxx.7 443
    > extendable
    > ip nat inside source static tcp 192.168.1.7 80 xxx.xxx.xxx.7 80 extendable
    >
    > ip classless
    >
    > ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.4
    >
    > access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
    > access-list 105 permit ip 192.168.1.0 0.0.0.255 any
    >
    > access-list 120 permit ip 192.168.1.0 0.0.0.255 any
    >
    > route-map nonat permit 10
    > match ip address 105
    >
    >
    >
    >
    > --
    > Posted via a free Usenet account from http://www.teranews.com
    >




    --
    Posted via a free Usenet account from http://www.teranews.com
    RC, Oct 5, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JCVD
    Replies:
    1
    Views:
    433
    Martin Gallagher
    Feb 13, 2004
  2. Allan Wilson

    VPN, from nat without VPN to nat with it

    Allan Wilson, Jul 5, 2004, in forum: Cisco
    Replies:
    1
    Views:
    529
    Walter Roberson
    Jul 5, 2004
  3. Tomi
    Replies:
    3
    Views:
    1,933
  4. brad
    Replies:
    2
    Views:
    556
  5. teodor
    Replies:
    0
    Views:
    1,499
    teodor
    Aug 20, 2009
Loading...

Share This Page