Solved

How can i access a service using PAT from the Internet and also access it via VPN?

Posted on 2006-06-25
2
432 Views
Last Modified: 2012-06-21
Hello,

I Have a CISCO 2801 12.4(3b) ADVANCED SECURITY with 2 Fast Ethernet interfaces only one public IP.

This Router connects to the internet by DSL PPPOE using Interface Fast Ethernet 0/0 via a DSL Modem Efficient Networks Speed Stream 5200 Bridge Mode (This device can also work as a router).

We currently have 2 Site to Site VPN Tunnels that work fine.

We also need for certain services to be accessed directly from the Internet

For example:

Public IP: 200.67.249.31
LAN Network: 192.168.2.0
SM: 255.255.255.0

ftp://200.67.249.31:21  is forwarded to 192.168.2.154:21

Using PAT:

ip nat inside source static tcp 192.168.2.154 21 interface Dialer0 21

I can access the service by: LAN by ftp://192.168.2.154:21 but I can´t access via the VPN tunnel.

I can only access if I delete the nat rule.

How can I access to services both ways?

Here is my config:

(The public IP´s  are not the real ones and some authentication info was changed to xxxxxx)



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DF
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$oJ3W$0DogrecBoAsz5mswSD8Pz/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authentication login sdm_vpn_xauth_ml_8 local
aaa authentication login sdm_vpn_xauth_ml_9 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
aaa authorization network sdm_vpn_group_ml_9 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.89
ip dhcp excluded-address 192.168.2.116 192.168.2.254
!
ip dhcp pool DF
   import all
   network 192.168.2.0 255.255.255.0
   lease infinite
!
!
ip name-server 200.4.144.117
ip name-server 192.100.183.178
!
!
! crypto pki token xxxxx user-pin ******
!
crypto pki trustpoint TP-self-signed-532503459
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-532503459
 revocation-check none
 rsakeypair TP-self-signed-532503459
!
!
crypto pki certificate chain TP-self-signed-532503459
 certificate self-signed 01 nvram:IOS-Self-Sig#3901.cer
username xxxxxxx privilege 15 view root password 0 xxxxxx
username xxxxxx privilege 15 view SDM_EasyVPN_Remote password = xxxxx
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key xxxxxxxxx address 200.67.50.200 no-xauth
crypto isakmp key xxxxxxxxx address 200.67.77.100 no-xauth
crypto isakmp xauth timeout 15

!
!
crypto ipsec transform-set intertraffic esp-des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to200.67.50.200
 set peer 200.67.50.200
 set transform-set intertraffic
 match address 110
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to200.67.77.124
 set peer 200.67.77.124
 set transform-set intertraffic
 match address 111
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 no ip address
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 200.67.249.31 255.255.255.0
 ip access-group 103 in
 ip mtu 1452
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username xxxxxxxx password 0 xxxxxxx
 crypto map SDM_CMAP_1
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.3.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.11 3306 interface Dialer0 3306
ip nat inside source static tcp 192.168.2.11 3000 interface Dialer0 3000
ip nat inside source static tcp 192.168.2.11 3001 interface Dialer0 3001
ip nat inside source static tcp 192.168.2.15 1494 interface Dialer0 1494
ip nat inside source static tcp 192.168.2.15 1433 interface Dialer0 1433
ip nat inside source static tcp 192.168.2.154 21 interface Dialer0 21
ip nat inside source static tcp 192.168.2.4 5900 interface Dialer0 5900
ip nat inside source static tcp 192.168.2.4 5800 interface Dialer0 5800
ip nat inside source static tcp 192.168.2.4 5500 interface Dialer0 5500
ip nat inside source static tcp 192.168.2.5 4899 interface Dialer0 4899
ip nat inside source static udp 192.168.2.5 4899 interface Dialer0 4899
!
logging trap debugging
logging 192.168.2.30
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 remark Permite Entrada a VPN Manzanillo IP
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 remark Permite Entrada a VPN Tampico IP
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp any host 200.67.249.31 eq 4899
access-list 103 permit tcp any host 200.67.249.31 eq 4899
access-list 103 permit tcp any host 200.67.249.31 eq 5500
access-list 103 permit tcp any host 200.67.249.31 eq 5800
access-list 103 permit tcp any host 200.67.249.31 eq 5900
access-list 103 permit tcp any host 200.67.249.31 eq ftp
access-list 103 permit tcp any host 200.67.249.31 eq 1433
access-list 103 permit tcp any host 200.67.249.31 eq 1494
access-list 103 permit tcp host 200.67.203.240 host 200.67.249.31 eq 3001
access-list 103 permit tcp any host 200.67.249.31 eq 3000
access-list 103 permit tcp host 69.57.158.96 host 200.67.249.31 eq 3306
access-list 103 permit udp host 192.100.183.178 eq domain host 200.67.249.31
access-list 103 permit udp host 200.4.144.117 eq domain host 200.67.249.31
access-list 103 permit ahp host 200.67.77.100 host 200.67.249.31
access-list 103 permit esp host 200.67.77.100 host 200.67.249.31
access-list 103 permit udp host 200.67.77.100 host 200.67.249.31 eq isakmp
access-list 103 permit udp host 200.67.77.100 host 200.67.249.31 eq non500-isakmp
access-list 103 remark Permite Entrada a VPN Manzanillo IP
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 permit ahp host 200.67.50.200 host 200.67.249.31
access-list 103 permit ahp any host 200.67.249.31
access-list 103 permit esp host 200.67.50.200 host 200.67.249.31
access-list 103 permit esp any host 200.67.249.31
access-list 103 permit udp host 200.67.50.200 host 200.67.249.31 eq isakmp
access-list 103 permit udp any host 200.67.249.31 eq isakmp
access-list 103 permit udp host 200.67.50.200 host 200.67.249.31 eq non500-isakmp
access-list 103 permit udp any host 200.67.249.31 eq non500-isakmp
access-list 103 remark Permite Entrada a VPN Tampico IP
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit icmp any host 200.67.249.31 echo-reply
access-list 103 permit icmp any host 200.67.249.31 time-exceeded
access-list 103 permit icmp any host 200.67.249.31 unreachable
access-list 103 permit tcp any host 200.67.249.31 eq 443
access-list 103 permit tcp any host 200.67.249.31 eq 22
access-list 103 permit tcp any host 200.67.249.31 eq cmd
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Permite entrada a VPN Tampico
access-list 110 remark SDM_ACL Category=4
access-list 110 remark Permite Entrada a VPN Tampico IP
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark Permite entrada a VPN Manzanillo
access-list 111 remark SDM_ACL Category=4
access-list 111 remark Permite Entrada a VPN Manzanillo IP
access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 3
 transport input telnet ssh
 transport output telnet ssh
line vty 4
 transport input telnet ssh
 transport output telnet ssh
parser view SDM_EasyVPN_Remote
 secret 5 $1$X1SG$C3vV1p0mVGziOWGfoRdaE0
 commands interface include all crypto
 commands interface include all no crypto
 commands interface include no
 commands configure include end
 commands configure include all access-list
 commands configure include all interface
 commands configure include all crypto
 commands configure include ip
 commands configure include no end
 commands configure include all no access-list
 commands configure include all no interface
 commands configure include all no crypto
 commands configure include no ip
 commands configure include no
 commands exec include dir all-filesystems
 commands exec include dir
 commands exec include crypto ipsec client xxxxxxx connect
 commands exec include crypto ipsec client xxxxxxx xauth
 commands exec include crypto ipsec client xxxxxxx
 commands exec include crypto ipsec client
 commands exec include crypto ipsec
 commands exec include crypto
 commands exec include write memory
 commands exec include write
 commands exec include all ping ip
 commands exec include ping
 commands exec include configure terminal
 commands exec include configure
 commands exec include all show
 commands exec include no
 commands exec include all debug appfw
 commands exec include debug
 commands exec include all clear
!
!
end
0
Comment
Question by:innovait
2 Comments
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 500 total points
ID: 16987190
Make the following changes:

no ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source list 100 interface Dialer0 overload

access-list 120 permit ip host 192.168.2.154 192.168.1.0 0.0.0.255
access-list 120 permit ip host 192.168.2.154 192.168.3.0 0.0.0.255

route-map bypassnat permit 10
 match ip address 120

ip nat inside source static tcp 192.168.2.154 21 interface Dialer0 21 route-map bypassnat

Before you do the first command, make sure you disable the nat inside command on the interface FastEthernet0/1 to avoid the router from locking out specially if you are doing it remotely.
0
 

Author Comment

by:innovait
ID: 16995423
Fist of all Thank you very much for replying

I tried the solution several times but I couldn´t get it to work

The router sends an error message once I tried to associate the bypassnat route map to the static nat rule the error is generated exactly where the word route from route-map starts I´m not sure but I think that may be a route map can´t be associated with a static rule.

ip nat inside source static tcp 192.168.2.154 21 interface Dialer0 21 route-map bypassnat

So any way I generated a test config much more easyer to understand and to debug which still has the same problem.

Public IP 1 200.200.200.2 LAN 192.168.2.0 SM 255.255.255.0

Public IP 2 200.200.200.3 LAN 192.168.1.0 SM 255.255.255.0

Service that needs to be accessed http://192.168.2.2:8080 This is an example other services need to be accessed the same way.

PAT address http://200.200.200.2:8080

With this configuration I can access the web server from 192.168.2.0 (its own LAN)
And from the internet by through http://200.200.200.2:8080

but I can´t access the service directly by typing http://192.168.2.2:8080 from the VPN network 200.200.200.3 with LAN 192.168.1.0

Here is the config thank you in advance,

Could you please comment the possible solution code?


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DF
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 $1$BV6.$EJr1ZWTLRogoZc1otd2ni0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.89
ip dhcp excluded-address 192.168.2.116 192.168.2.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
!
!
ip domain name xxxxxxxxx.com.mx
ip name-server 200.200.200.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
! crypto pki token mario user-pin ******
!
crypto pki trustpoint TP-self-signed-532503459
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-532503459
 revocation-check none
 rsakeypair TP-self-signed-532503459
!
!
crypto pki certificate chain TP-self-signed-532503459
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 35333235 30333435 39301E17 0D303630 36323632 31343132
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 32353033
  34353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  AF2CC3A3 1FAB5243 120228A9 075A1C7A 0957AB7D 86CABB85 B57CE392 B358572C
  EA69D541 577B3051 8370589C EE5168DF 7DE9786A 9DE45D30 0E6142F0 001B19C7
  F7B5B411 6BF1E27B E5390CC3 FD63D3B2 E44E67C7 624CF6AC B7620C82 84D4AA49
  10AF4BFD 86F89CB8 E9FA0EAE 385DBE2A C95F36F8 9927E56C 80FF62B8 4881D3EF
  02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
  11041A30 18821644 462E696E 74657274 72616666 69632E63 6F6D2E6D 78301F06
  03551D23 04183016 80144197 6FBBCFE7 0B4F361C 6A52D7B8 27F6894E 6047301D
  0603551D 0E041604 1441976F BBCFE70B 4F361C6A 52D7B827 F6894E60 47300D06
  092A8648 86F70D01 01040500 03818100 A3CAAD2E 4D21F011 B827D1C6 4AF944E6
  809DB11A D557234A FD45BBFF 48A175E8 6F14F467 74B6E483 629C2AE6 10F1FA2A
  D26DB0E6 1BC10F7D E9A0983B FC8B8174 153DF5F0 141AFB96 9BC2063E 45782910
  A118F3F3 3C1D3362 5F3A3AEE 16302BFB EFC1173A E5A533E1 8A79935C 042489B3
  B712E1EB 331431EC 9B4D3C78 F1FA5B41
  quit
username a privilege 15 secret 5 $1$C3ld$LrzMTWY5kgs5Y13LT7HaT/
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key test address 200.200.200.3
!
!
crypto ipsec transform-set test esp-des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to200.200.200.3
 set peer 200.200.200.3
 set transform-set test
 match address 100
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
 ip address 200.200.200.2 255.255.255.0
 ip mask-reply
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 description $ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
router rip
 network 192.168.2.0
 network 200.200.200.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 200.200.200.1 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.2.2 8080 interface FastEthernet0/0 8080
!
access-list 100 remark Tells ipsec which traffic to encript
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark SDM_ACL Category=16
access-list 110 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
!
!
control-plane
!
banner login Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
end
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now