scoir
asked on
Connecting to IIS through Cisco VPN client that has also been configured for outside access to port 80
Hi
I have a site with ms2003 server that runs exchange and Cisco 837 router that has the vpn client setup on it
I have enabled port 80 translation on the router to enable outside access to Outlook Web Access but this stops access to port 80 when using the internal address through the vpn client, ie to run their intranet through the vpn client
ip nat inside source static tcp 192.168.1.1 80 202.76.x.x 80 extendable
The vpn access range is 192.168.9.0/24
I don't want the intranet to be available through the outside address and I only have one outside address available to me, do you know of any way of getting this to work?
Cheers
I have a site with ms2003 server that runs exchange and Cisco 837 router that has the vpn client setup on it
I have enabled port 80 translation on the router to enable outside access to Outlook Web Access but this stops access to port 80 when using the internal address through the vpn client, ie to run their intranet through the vpn client
ip nat inside source static tcp 192.168.1.1 80 202.76.x.x 80 extendable
The vpn access range is 192.168.9.0/24
I don't want the intranet to be available through the outside address and I only have one outside address available to me, do you know of any way of getting this to work?
Cheers
ASKER
Hi Dean,
Router config with external ip address changed and passwords removed
Issue I think is port 80 traffic when coming from vpn lan is being routed backout external address. If I remove the line below port 80 access from a vpn client session works it works but then obviously no direct outside access
ip nat inside source static tcp 192.168.1.4 80 202.76.1.1 80 extendable
Cheers
Scott
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname aaa
!
boot-start-marker
boot-end-marker
!
enable secret 7 aaa
!
username aaa password 7 aaa
aaa new-model
!
!
aaa authentication login vtyauth line
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key aaa address 202.45.1.1 no-xauth
!
crypto isakmp client configuration group aaa_vpn_group
key aaa
dns 192.168.1.4
domain aaa.local
pool vpn_client_pool
acl 199
split-dns aaa.local
!
!
crypto ipsec transform-set ipsec-set1 esp-3des esp-sha-hmac
!
crypto dynamic-map ipsec-dynmap1 10
set transform-set ipsec-set1
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list groupauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic ipsec-dynmap1
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
oam-pvc manage
oam retry 3 3 10
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
bandwidth 640
no ip address
duplex auto
speed auto
!
interface Dialer0
bandwidth 640
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname aaa@aaa.com
ppp chap password 7 aaa
ppp ipcp dns request
crypto map vpnmap
!
ip local pool vpn_client_pool 192.168.9.1 192.168.9.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.3.0 255.255.255.0 192.168.1.254
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 202.76.1.1 25 extendable
ip nat inside source static tcp 192.168.1.4 80 202.76.1.1 80 extendable
!
access-list 1 permit any
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 permit ip any any
access-list 198 permit tcp host 203.19.252.1 host 202.76.1.1 eq smtp
access-list 198 deny tcp any any eq smtp
access-list 198 permit ip any any
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 199 permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
no cdp run
!
route-map nonat permit 10
match ip address 101
!
radius-server host 192.168.1.4 auth-port 1645 acct-port 1646 key 7 aaa
radius-server host 192.168.1.4 alias 192.168.1.1
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
Router config with external ip address changed and passwords removed
Issue I think is port 80 traffic when coming from vpn lan is being routed backout external address. If I remove the line below port 80 access from a vpn client session works it works but then obviously no direct outside access
ip nat inside source static tcp 192.168.1.4 80 202.76.1.1 80 extendable
Cheers
Scott
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname aaa
!
boot-start-marker
boot-end-marker
!
enable secret 7 aaa
!
username aaa password 7 aaa
aaa new-model
!
!
aaa authentication login vtyauth line
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key aaa address 202.45.1.1 no-xauth
!
crypto isakmp client configuration group aaa_vpn_group
key aaa
dns 192.168.1.4
domain aaa.local
pool vpn_client_pool
acl 199
split-dns aaa.local
!
!
crypto ipsec transform-set ipsec-set1 esp-3des esp-sha-hmac
!
crypto dynamic-map ipsec-dynmap1 10
set transform-set ipsec-set1
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list groupauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic ipsec-dynmap1
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
oam-pvc manage
oam retry 3 3 10
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
bandwidth 640
no ip address
duplex auto
speed auto
!
interface Dialer0
bandwidth 640
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname aaa@aaa.com
ppp chap password 7 aaa
ppp ipcp dns request
crypto map vpnmap
!
ip local pool vpn_client_pool 192.168.9.1 192.168.9.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.3.0 255.255.255.0 192.168.1.254
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 202.76.1.1 25 extendable
ip nat inside source static tcp 192.168.1.4 80 202.76.1.1 80 extendable
!
access-list 1 permit any
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 permit ip any any
access-list 198 permit tcp host 203.19.252.1 host 202.76.1.1 eq smtp
access-list 198 deny tcp any any eq smtp
access-list 198 permit ip any any
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 199 permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
no cdp run
!
route-map nonat permit 10
match ip address 101
!
radius-server host 192.168.1.4 auth-port 1645 acct-port 1646 key 7 aaa
radius-server host 192.168.1.4 alias 192.168.1.1
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
That worked fine
Cheers
Scott
That worked fine
Cheers
Scott
I am glad I was able to help.
Dean
Dean
Dean