Cisco 2811 VPN NATting

Discussion in 'Cisco' started by Anthony J. Biacco, May 24, 2007.

  1. Hi,

    I have Cisco VPN clients connecting to a Cisco 2811 to access private
    IP corporate resources.
    However, now I need them to access some internet-based IPs (our
    production network) over the VPN tunnels.
    This means enabling VPN clients to hit the internet through the 2811,
    which means NATing of their traffic out, since the VPN client IPs are
    private.

    I cannot figure out how to accomplish this. The connections to the now-
    secure routes to the internet-based IPs time out. ICMP from the VPN
    clients will hit nothing beyond the outside interface (Dialer1). I
    suspect it's something regarding the VPN clients coming in on the
    outbound interface (Dialer1) and then trying to go out that same
    interface to hit the internet-based IPs and not getting NATted.

    Can someone explain to me what i might be missing here?

    Here's relevant parts of my config. If you think other parts are
    relevant, I can provide those as well

    Thanx.

    xxx.xxx.xxx = Corporate public IPs
    zzz.zzz.zzz = Production public IPs
    yyy.yyy.yyy = Default internet route
    192.168.167 = VPN client IPs
    192.168.168 = Corporate DMZ
    10.10.10 = Corporate Trust

    interface Dialer1
    description $FW_OUTSIDE$
    bandwidth 7000
    ip address xxx.xxx.xxx.206 255.255.255.240
    ip access-group 104 in
    ip nat outside
    ip inspect SDM_LOW out
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer idle-timeout 0
    dialer persistent
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname MYUSERNAME
    ppp chap password 0 MYPASSWORD
    ppp pap sent-username MYUSERNAME password 0 MYPASSWORD
    crypto map SDM_CMAP_1
    !
    ip local pool SDM_POOL_1 192.168.167.2 192.168.167.10
    ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy permanent
    ip route 10.0.0.0 255.0.0.0 192.168.192.1 permanent
    !
    !
    ip nat pool outsidepool xxx.xxx.xxx.195 xxx.xxx.xxx.204 netmask
    255.255.255.240
    ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
    ip nat inside source static 192.168.168.2 xxx.xxx.xxx.193 route-map
    SDM_RMAP_3
    ip nat inside source static 10.10.10.2 xxx.xxx.xxx.194 route-map
    SDM_RMAP_2
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 100
    !
    access-list 100 remark SDM_ACL Category=2
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.2
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.3
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.4
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.5
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.6
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.7
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.8
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.9
    access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.10
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.2
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.3
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.4
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.5
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.6
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.7
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.8
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.9
    access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.10
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.2
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.3
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.4
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.5
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.6
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.7
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.8
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.9
    access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.10
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.2
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.3
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.4
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.5
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.6
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.7
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.8
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.9
    access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.10
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.2
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.3
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.4
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.5
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.6
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.7
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.8
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.9
    access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.10
    access-list 100 deny ip any host 192.168.167.2
    access-list 100 deny ip any host 192.168.167.3
    access-list 100 deny ip any host 192.168.167.4
    access-list 100 deny ip any host 192.168.167.5
    access-list 100 deny ip any host 192.168.167.6
    access-list 100 deny ip any host 192.168.167.7
    access-list 100 deny ip any host 192.168.167.8
    access-list 100 deny ip any host 192.168.167.9
    access-list 100 deny ip any host 192.168.167.10
    access-list 100 deny ip host 192.168.168.2 any
    access-list 100 deny ip host 10.10.10.2 any
    access-list 100 permit ip 192.168.168.0 0.0.0.255 any
    access-list 100 permit ip 10.1.0.0 0.0.3.255 any
    access-list 100 permit ip 10.10.10.0 0.0.0.255 any
    access-list 100 permit ip 10.2.0.0 0.0.3.255 any
    access-list 100 permit ip 192.168.167.0 0.0.0.255 any

    -Tony
     
    Anthony J. Biacco, May 24, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.