Solved

I wish to exclude WAN traffic from VPN tunnels being NATed but am not sure of the configuration syntax

Posted on 2007-12-02
11
917 Views
Last Modified: 2010-04-21
Hi experts, I have recently purchased a Cisco 1801 IOS 12.4 router to replace a Draytek device (which works quite well except it has no netflow or equivalent fuctionality). My network consists of a hub site where this device is located and 8 remote sites that are connected via VPN tunnels to this router. The 1800 router also functions as a NAT device that allows outgoing IP sessions from the local LAN such as web browsing and has open ports to allow outside computers to connect to specific Servers on the local LAN. Everything works fine except for when computers from the other sites try to connect to any computer/server that has specific static nat associated with it. For instance I can ping a web server by name from another site but can't browse to it. I have used sniffers and IOS debug and can confirm that the return packets exist and are being NATed by the router and hence lost. I only have one public IP address and about 13 NAT statements. I wont submit the whole config because I'm sure most of it is sound.
Hub subnet  10.18.0.0/24
remote subnets are 10.18.1-7.0/24

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
ip nat inside source static tcp 10.18.0.22 23 interface Dialer0 2123
ip nat inside source static tcp 10.18.0.22 21 interface Dialer0 2121
ip nat inside source static tcp 10.18.0.21 21 interface Dialer0 21
ip nat inside source static tcp 10.18.0.20 8082 interface Dialer0 8082
ip nat inside source static tcp 10.18.0.20 4125 interface Dialer0 4125
ip nat inside source static tcp 10.18.0.20 3389 interface Dialer0 3389
ip nat inside source static tcp 10.18.0.20 3101 interface Dialer0 3101
ip nat inside source static tcp 10.18.0.20 1723 interface Dialer0 1723
ip nat inside source static tcp 10.18.0.20 444 interface Dialer0 444
ip nat inside source static tcp 10.18.0.20 443 interface Dialer0 443
ip nat inside source static tcp 10.18.0.20 80 interface Dialer0 80
ip nat inside source static tcp 10.18.0.20 25 interface Dialer0 25

access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 103 permit ip 10.18.0.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1
 match ip address 103

Please advise
0
Comment
Question by:pauldunai
  • 6
  • 5
11 Comments
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
How is the ACL applied? or where is it applied and in what direction?

The ACL specifies the inside addresses

More info is needed

harbor235 ;}
0
 

Author Comment

by:pauldunai
Comment Utility
Hi Harbour235, It is applied in the route-map named SDM_RMAP_1 which is  used in the first "ip nat ..." statement. I beleive that it is used to determine what not to NAT. Unfortunately I can't see how the route map can be used in all the other "ip nat"  statements.. i'll post more of the configuration soon. Just need to modify a few "secrete bits"
0
 

Author Comment

by:pauldunai
Comment Utility
As requested config


City-rt-1#sh run
Building configuration...

Current configuration : 21619 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname City-rt-1
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$//7Y$Mi1T.gmSrVWg6UUJ/xpBv.
!
no aaa new-model
!
resource policy
!
clock timezone Sydney 10
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.18.0.1 10.18.0.49
ip dhcp excluded-address 10.18.0.80 10.18.0.254
!
ip dhcp pool City_LAN
   import all
   network 10.18.0.0 255.255.255.0
   domain-name xray.local
   dns-server 10.18.0.20
   default-router 10.18.0.1
   netbios-name-server 10.18.0.20
!
!
ip domain name xray.local
ip name-server 10.18.0.20
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1419680130
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1419680130
 revocation-check none
 rsakeypair TP-self-signed-1419680130
!
!
crypto pki certificate chain TP-self-signed-1419680130
 certificate self-signed 01
 
  34C33A7C

  quit
username admin privilege 15 secret 5
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
 class sdm_p2p_edonkey
 class sdm_p2p_gnutella
 class sdm_p2p_kazaa
 class sdm_p2p_bittorrent
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key nowracity address 101.102.46.111
crypto isakmp key beachescity address 101.102.69.4
crypto isakmp key nowracity address 101.102.58.252
crypto isakmp key bowralcity address 101.102.68.160
crypto isakmp key vauclusecity address 101.102.51.233
crypto isakmp key watsonsbaycity address 101.102.69.2
crypto isakmp key maroubracity address 101.102.72.126
crypto isakmp key eastlakescity address 101.102.34.16
crypto isakmp key warriewoodcity address 101.102.81.232
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to101.102.69.4
 set peer 101.102.69.4
 set transform-set ESP-3DES-SHA1
 match address 104
 qos pre-classify
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to101.102.58.252
 set peer 101.102.58.252
 set transform-set ESP-3DES-SHA2
 match address 105
 qos pre-classify
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel to101.102.68.160
 set peer 101.102.68.160
 set transform-set ESP-3DES-SHA3
 match address 106
 qos pre-classify
crypto map SDM_CMAP_1 4 ipsec-isakmp
 description Tunnel to101.102.81.232
 set peer 101.102.81.232
 set transform-set ESP-3DES-SHA4
 match address 107
crypto map SDM_CMAP_1 5 ipsec-isakmp
 description Tunnel to101.102.51.233
 set peer 101.102.51.233
 set transform-set ESP-3DES-SHA5
 match address 108
 qos pre-classify
crypto map SDM_CMAP_1 6 ipsec-isakmp
 description Tunnel to101.102.69.2
 set peer 101.102.69.2
 set transform-set ESP-3DES-SHA6
 match address 109
 qos pre-classify
crypto map SDM_CMAP_1 7 ipsec-isakmp
 description Tunnel to101.102.72.126
 set peer 101.102.72.126
 set transform-set ESP-3DES-SHA7
 match address 110
 qos pre-classify
crypto map SDM_CMAP_1 8 ipsec-isakmp
 description Tunnel to101.102.34.16
 set peer 101.102.34.16
 set transform-set ESP-3DES-SHA8
 match address 111
 qos pre-classify
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
 no snmp trap link-status
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
 ip address 10.18.0.1 255.255.255.0
 ip access-group 100 in
 ip accounting output-packets
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 101.102.118.40 255.255.0.0
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_MEDIUM out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname test@direct.telstra.net
 ppp chap password 0 245254
 ppp pap sent-username test@direct.telstra.net password 0 245254
 crypto map SDM_CMAP_1
 service-policy input sdmappfwp2p_SDM_MEDIUM
 service-policy output sdmappfwp2p_SDM_MEDIUM
!
router rip
 version 2
 passive-interface Vlan1
 network 10.0.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
ip nat inside source static tcp 10.18.0.22 23 interface Dialer0 2123
ip nat inside source static tcp 10.18.0.22 21 interface Dialer0 2121
ip nat inside source static tcp 10.18.0.21 21 interface Dialer0 21
ip nat inside source static tcp 10.18.0.20 8082 interface Dialer0 8082
ip nat inside source static tcp 10.18.0.20 4125 interface Dialer0 4125
ip nat inside source static tcp 10.18.0.20 3389 interface Dialer0 3389
ip nat inside source static tcp 10.18.0.20 3101 interface Dialer0 3101
ip nat inside source static tcp 10.18.0.20 1723 interface Dialer0 1723
ip nat inside source static tcp 10.18.0.20 444 interface Dialer0 444
ip nat inside source static tcp 10.18.0.20 443 interface Dialer0 443
ip nat inside source static tcp 10.18.0.20 80 interface Dialer0 80
ip nat inside source static tcp 10.18.0.20 25 interface Dialer0 25
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.18.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.18.0.0 0.0.15.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq telnet
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq 22
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq www
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq 443
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq cmd
access-list 100 permit udp host 10.18.0.20 host 10.18.0.1 eq snmp
access-list 100 deny   tcp any host 10.18.0.1 eq telnet
access-list 100 deny   tcp any host 10.18.0.1 eq 22
access-list 100 deny   tcp any host 10.18.0.1 eq www
access-list 100 deny   tcp any host 10.18.0.1 eq 443
access-list 100 deny   tcp any host 10.18.0.1 eq cmd
access-list 100 deny   udp any host 10.18.0.1 eq snmp
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 101.102.81.232 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit udp host 101.102.81.232 host 101.102.118.40 eq isakmp
access-list 101 permit esp host 101.102.81.232 host 101.102.118.40
access-list 101 permit ahp host 101.102.81.232 host 101.102.118.40
access-list 101 permit ahp host 101.102.34.16 host 101.102.118.40
access-list 101 permit esp host 101.102.34.16 host 101.102.118.40
access-list 101 permit udp host 101.102.34.16 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.34.16 host 101.102.118.40 eq non500-isak
mp
access-list 101 permit ahp host 101.102.72.126 host 101.102.118.40
access-list 101 permit esp host 101.102.72.126 host 101.102.118.40
access-list 101 permit udp host 101.102.72.126 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.72.126 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.69.2 host 101.102.118.40
access-list 101 permit esp host 101.102.69.2 host 101.102.118.40
access-list 101 permit udp host 101.102.69.2 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.69.2 host 101.102.118.40 eq non500-isakm
p
access-list 101 permit ahp host 101.102.51.233 host 101.102.118.40
access-list 101 permit esp host 101.102.51.233 host 101.102.118.40
access-list 101 permit udp host 101.102.51.233 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.51.233 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.81.231 host 101.102.118.40
access-list 101 permit esp host 101.102.81.231 host 101.102.118.40
access-list 101 permit udp host 101.102.81.231 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.81.231 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.68.160 host 101.102.118.40
access-list 101 permit esp host 101.102.68.160 host 101.102.118.40
access-list 101 permit udp host 101.102.68.160 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.68.160 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.58.252 host 101.102.118.40
access-list 101 permit esp host 101.102.58.252 host 101.102.118.40
access-list 101 permit udp host 101.102.58.252 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.58.252 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.69.4 host 101.102.118.40
access-list 101 permit esp host 101.102.69.4 host 101.102.118.40
access-list 101 permit udp host 101.102.69.4 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.69.4 host 101.102.118.40 eq non500-isakm
p
access-list 101 remark IPSec Rule  For Eastlakes VPN
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.34.16 any eq non500-isakmp
access-list 101 permit udp host 101.102.34.16 any eq isakmp
access-list 101 permit esp host 101.102.34.16 any
access-list 101 permit ahp host 101.102.34.16 any
access-list 101 remark IPSec Rule  For Maroubra VPN
access-list 101 permit ip 10.18.7.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.72.126 any eq non500-isakmp
access-list 101 permit udp host 101.102.72.126 any eq isakmp
access-list 101 permit esp host 101.102.72.126 any
access-list 101 permit ahp host 101.102.72.126 any
access-list 101 remark IPSec Rule For Watsons Bay VPN
access-list 101 permit ip 10.18.6.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.69.2 any eq non500-isakmp
access-list 101 permit udp host 101.102.69.2 any eq isakmp
access-list 101 permit esp host 101.102.69.2 any
access-list 101 permit ahp host 101.102.69.2 any
access-list 101 remark IPSec Rule for Vaucluse VPN
access-list 101 permit ip 10.18.5.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.51.233 any eq non500-isakmp
access-list 101 permit udp host 101.102.51.233 any eq isakmp
access-list 101 permit esp host 101.102.51.233 any
access-list 101 permit ahp host 101.102.51.233 any
access-list 101 remark IPSec Rule for Warriewood VPN
access-list 101 permit ip 10.18.4.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.81.231 any eq non500-isakmp
access-list 101 permit udp host 101.102.81.231 any eq isakmp
access-list 101 permit esp host 101.102.81.231 any
access-list 101 permit ahp host 101.102.81.231 any
access-list 101 remark IPSec Rule For Bowral VPN
access-list 101 permit ip 10.18.3.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.68.160 any eq non500-isakmp
access-list 101 permit udp host 101.102.68.160 any eq isakmp
access-list 101 permit esp host 101.102.68.160 any
access-list 101 permit ahp host 101.102.68.160 any
access-list 101 remark IPSec Rule for Nowra VPN
access-list 101 permit ip 10.18.2.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.58.252 any eq non500-isakmp
access-list 101 permit udp host 101.102.58.252 any eq isakmp
access-list 101 permit esp host 101.102.58.252 any
access-list 101 permit ahp host 101.102.58.252 any
access-list 101 remark IPSec Rule for Beaches VPN
access-list 101 permit ip 10.18.1.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.69.4 any eq non500-isakmp
access-list 101 permit udp host 101.102.69.4 any eq isakmp
access-list 101 permit esp host 101.102.69.4 any
access-list 101 permit ahp host 101.102.69.4 any
access-list 101 remark Open ports
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 2123
access-list 101 permit tcp any any eq 2121
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 8082
access-list 101 permit tcp any any eq 4125
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 3101
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 444
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp
access-list 101 deny   ip 10.18.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 103 permit ip 10.18.0.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark SDM_ACL Category=1
access-list 112 permit ip 10.18.0.0 0.0.15.255 any
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit ip 10.18.0.0 0.0.15.255 any
dialer-list 1 protocol ip permit
snmp-server community xray RO
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Authorised Access Only. Disconnect immediately if you are not
an authorised user
-----------------------------------------------------------------------


^C
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 112 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 113 in
 privilege level 15
 login local
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

City-rt-1#
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
The only IP address that would allow  port 80 traffic through for and that has a valid translation for port 80 is 10.108.0.20, does this box have a web server running? There is also a translation for 8082, is that a backup web port? If so it is for the same server 10.108.0.20, is that the box you are trying to browse to? From my first look at your lengthy config is that u can only browse to 10.108.0.20 on ports 80 or 8082, is thaat what you are doing?

You also have CBAC running but you are not inspecting HTTP, is that what you want to do?

harbor235 ;}
0
 

Author Comment

by:pauldunai
Comment Utility
Yes, 10.18.0.20 has a web server (+ serveral other ports). It can be accesses from the local LAN (10.18.0.0/24) and the internet (using NAT). It can't be accessed from any other WAN/VPN subnet because the packets get NATed on their return. This happens for any  TCP session started from the WAN/VPN subnets (10.18.1.0/24, 10.18.2.0/24 etc) for which a Static NAT has been configured. Another way to put it. Given my current configuration I could access the server  10.18.0.20 from the WAN/VPN subnets on all ports except the ones being NATed.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 32

Expert Comment

by:harbor235
Comment Utility
I see now, you are doing overload NAT and static NAt simualtaneously. This can be done but there are some restrictions. I would try using a different global address for your static NATs.


Here is a good link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

harbor235 ;}
0
 

Author Comment

by:pauldunai
Comment Utility
Ok I have made progress although I have some limitations . I should mention I only have 1 external IP address to play with.
I have replaced all "IP nat" commands with the following 2.
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static  10.18.0.20 101.102.118.40 route-map SDM_RMAP_1

This lets me access all servers internally from the private subnets and local LAN (no NAT), and 1 server 10.18.0.20 from the Internet using static NAT. The thing I can't do is open up ports to another internal server (10.18.0.21 & 22) from the Internet. It looks like I may need another external IP address as you suggest above.
I can do this with my $250 Draytek but unfortunately not the Cisco 1801. Do you see another option?





0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
Have you tried excluding the servers .20 and .21 explicitly so there are never overload NAT'd?

access-list 103 deny ip 10.108.0.20 0.0.0.0 any
access-list 103 deny ip 10.108.0.21 0.0.0.0 any

make sure you add this before this line:
access-list 103 permit ip 10.18.0.0 0.0.0.255 any

Also, what version of code are you using?

harbor235 ;}
0
 

Author Comment

by:pauldunai
Comment Utility
harbor235, I'm not sure how that would help, Would that not exclude 10.18.0.21 & 22 from any form of NAT. i.e. these 2 machines would have no way of communication outside of the private network, even sessions initiated from the inside?

What I really would need is to be able to attach a route-map to the following line and similar.

ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23

  because the static NAT (1 to 1) that I use (below) excludes me puting any other static NAT statments without an additional IP address (for another 1 to 1 mapping)

ip nat inside source static  10.18.0.20 101.102.118.40 route-map SDM_RMAP_1


 Version of IOS version 12.4. unfortunately I can't verify exactly ther variant. The router is new and I believe it was an "enhancement from the basic version for the 1801, same as the 1841 etc) sorry.
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 200 total points
Comment Utility
Yep, you are correct, however if you craft another route-map and seperate ACL this will work, or it is at least work testing. It will not work in your config because you are using the same route-map and ACL.

harbor235 ;}
0
 

Author Closing Comment

by:pauldunai
Comment Utility
Thanks Harbor235 for your answers and feed back. I have gone down the path of aquiring more public IP addresses. This should make life easier all round. I think I can easily configure with multiple IPs
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now