Connecting to IIS through Cisco VPN client that has also been configured for outside access to port 80

Hi

I have a site with ms2003 server that runs exchange and Cisco 837 router that has the vpn client setup on it
I have enabled port 80 translation on the router to enable outside access to Outlook Web Access but this stops access to port 80 when using the internal address through the vpn client, ie to run their intranet through the vpn client

ip nat inside source static tcp 192.168.1.1 80 202.76.x.x 80 extendable

The vpn access range is 192.168.9.0/24

I don't want the intranet to be available through the outside address and I only have one outside address available to me, do you know of any way of getting this to work?

Cheers
scoirAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetoMeter ScreencastsCommented:
Can you post your router configuration?

Dean
0
scoirAuthor Commented:
Hi Dean,

Router config with external ip address changed and passwords removed


Issue I think is port 80 traffic when coming from vpn lan is  being routed backout external address. If I remove the line below port 80 access from a vpn client session works it works but then obviously no direct outside access

ip nat inside source static tcp 192.168.1.4 80 202.76.1.1 80 extendable

Cheers

Scott
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname aaa
!
boot-start-marker
boot-end-marker
!
enable secret 7 aaa
!
username aaa password 7 aaa
aaa new-model
!
!
aaa authentication login vtyauth line
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key aaa address 202.45.1.1 no-xauth
!
crypto isakmp client configuration group aaa_vpn_group
 key aaa
 dns 192.168.1.4
 domain aaa.local
 pool vpn_client_pool
 acl 199
 split-dns aaa.local
!
!
crypto ipsec transform-set ipsec-set1 esp-3des esp-sha-hmac
!
crypto dynamic-map ipsec-dynmap1 10
 set transform-set ipsec-set1
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list groupauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic ipsec-dynmap1
!
!
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  oam-pvc manage
  oam retry 3 3 10
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 bandwidth 640
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 bandwidth 640
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname aaa@aaa.com
 ppp chap password 7 aaa
 ppp ipcp dns request
 crypto map vpnmap
!
ip local pool vpn_client_pool 192.168.9.1 192.168.9.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.3.0 255.255.255.0 192.168.1.254
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 202.76.1.1 25 extendable
ip nat inside source static tcp 192.168.1.4 80 202.76.1.1 80 extendable
!
access-list 1 permit any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 permit ip any any
access-list 198 permit tcp host 203.19.252.1 host 202.76.1.1 eq smtp
access-list 198 deny   tcp any any eq smtp
access-list 198 permit ip any any
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 199 permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
no cdp run
!
route-map nonat permit 10
 match ip address 101
!
radius-server host 192.168.1.4 auth-port 1645 acct-port 1646 key 7 aaa
radius-server host 192.168.1.4 alias 192.168.1.1
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end
0
NetoMeter ScreencastsCommented:
Hi!
You are right.
I think that what actually happens is the static translation for the mail server takes precedence over the route-map for the Dialer0 overload. As far as I remember static translations always take precedence in such cases as well as more specific static rules take precedence to more general ones.

Here are the changes which I would recommend you to try:

ip nat inside source static tcp 192.168.1.4 25 202.76.1.1 25 route-map tointernet
ip nat inside source static tcp 192.168.1.4 80 202.76.1.1 80 route-map tointernet

route-map tointernet permit 10
match ip address 102


access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Of course, examine the above carefully because I’ve written it quickly and most probably there are errors.

Best Regards,

Dean
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
scoirAuthor Commented:
Thanks

That worked fine

Cheers
Scott
0
NetoMeter ScreencastsCommented:
I am glad I was able to help.

Dean
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.