1stopit
asked on
Santiy Check setting up Inbound NAT and excluding from VPN traffic.
Folks,
We have a customer with an 1841 in their head office with 800 series boxes in site offices. All advanced IP based IOS.
When setting up the 1841 we get internet access fine, and get all the VPN's working a treat... no problems thus far. However, when we configured inbound NAT/PAT translations we end up not being able to pass the equivalent ports/traffic across the VPN. For example, SMTP email is fed to the main office to an Exchange 2k3 box which then routes emails for the branch offices by SMTP over VPN's to sub-Exchange boxes... but the traffic gets blocked in that we cannot connect to the SMTP server in the main site, from the remote offices - but the main site can connect to the remote SMTP servers in the site offices with no problems.
On checking the WWW for this issue, it became clear we had an issue with correct routing of packets due to combined overloading and NAT/PAT'ing of the same WAN interface.... so we've changed our config to the following one. This cannot be tested inhouse as the box is to be sent to our client to try out, but we just wanted to sanity check it for anything obvious.
Thanks in advance.
We have a customer with an 1841 in their head office with 800 series boxes in site offices. All advanced IP based IOS.
When setting up the 1841 we get internet access fine, and get all the VPN's working a treat... no problems thus far. However, when we configured inbound NAT/PAT translations we end up not being able to pass the equivalent ports/traffic across the VPN. For example, SMTP email is fed to the main office to an Exchange 2k3 box which then routes emails for the branch offices by SMTP over VPN's to sub-Exchange boxes... but the traffic gets blocked in that we cannot connect to the SMTP server in the main site, from the remote offices - but the main site can connect to the remote SMTP servers in the site offices with no problems.
On checking the WWW for this issue, it became clear we had an issue with correct routing of packets due to combined overloading and NAT/PAT'ing of the same WAN interface.... so we've changed our config to the following one. This cannot be tested inhouse as the box is to be sent to our client to try out, but we just wanted to sanity check it for anything obvious.
Thanks in advance.
Do your remote office Exchange servers use the private or public IP address of the main site Exchange server? If it is using the public IP address, try reconfiguring the remote office Exchange server(s) to reference the private IP address of the main site Exchange server and see if that helps...
ASKER
All servers communicate over VPN's using private IP's only.
To recap the issue... VPN traffic in itself routes fine... only traffic inbound to central 1841 (config as given) from remote 800 boxes using any ports which are PAT'd from internet to servers behind 1841 on main site cannot flow.
ie: Go to remote server (behind a 800) and telnet to main exchange server on port 25 (SMTP) over VPN and we get black screen and flashing cursor... so server has picked up connection request... but nothing more. If we remove the inbound PAT from 1841's internet side to main Exchange box on main site... connection attempt works fine. Therefore I suspect return packets from server are being NAT'd out rather than returned back over VPN.
Can't see why though.
To recap the issue... VPN traffic in itself routes fine... only traffic inbound to central 1841 (config as given) from remote 800 boxes using any ports which are PAT'd from internet to servers behind 1841 on main site cannot flow.
ie: Go to remote server (behind a 800) and telnet to main exchange server on port 25 (SMTP) over VPN and we get black screen and flashing cursor... so server has picked up connection request... but nothing more. If we remove the inbound PAT from 1841's internet side to main Exchange box on main site... connection attempt works fine. Therefore I suspect return packets from server are being NAT'd out rather than returned back over VPN.
Can't see why though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $ecret
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
ip domain name domain.co.uk
!
!
crypto pki trustpoint TP-self-signed-3290162110
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3290162110
!
!
crypto pki certificate chain TP-self-signed-3290162110
certificate self-signed 01
<< CERTIFICATE DETAILS >>
quit
username admin privilege 15 secret 5 $ecret
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key q1w2e3r4t5y6 address a.b.c.d
crypto isakmp key Q1W2E3R4T5Y6 address e.f.g.h
crypto isakmp key q1w2e3r4t5y6 address i.j.k.l
crypto isakmp key Q1W2E3R4T5Y6 address m.n.o.p
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP_1 1 ipsec-isakmp
description VPN1
set peer a.b.c.d
set transform-set ESP-3DES-SHA
match address 101
crypto map CMAP_1 2 ipsec-isakmp
description VPN2
set peer e.f.g.h
set transform-set ESP-3DES-SHA
match address 102
crypto map CMAP_1 3 ipsec-isakmp
description VPN3
set peer i.j.k.l
set transform-set ESP-3DES-SHA
match address 103
crypto map CMAP_1 4 ipsec-isakmp
description VPN4
set peer m.n.o.p
set transform-set ESP-3DES-SHA
match address 104
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 192.168.191.254 255.255.255.0
ip nat inside
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description $ES_WAN$
ip address q.r.s.t 255.255.255.248
ip nat outside
ip virtual-reassembly
shutdown
duplex auto
speed auto
crypto map CMAP_1
!
ip route 0.0.0.0 0.0.0.0 u.v.w.x
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 8079
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map natornonat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.191.250 25 q.r.s.t 25 extendable
ip nat inside source static tcp 192.168.191.243 88 q.r.s.t 88 extendable
ip nat inside source static tcp 192.168.191.242 443 q.r.s.t 443 extendable
ip nat inside source static tcp 192.168.191.250 3389 q.r.s.t 3389 extendable
ip nat inside source static tcp 192.168.191.243 8888 q.r.s.t 8888 extendable
!
access-list 101 permit ip 192.168.191.0 0.0.0.255 192.168.194.0 0.0.0.255
access-list 102 permit ip 192.168.191.0 0.0.0.255 192.168.192.0 0.0.0.255
access-list 103 permit ip 192.168.191.0 0.0.0.255 192.168.193.0 0.0.0.255
access-list 104 permit ip 192.168.191.0 0.0.0.255 10.133.133.0 0.0.0.255
access-list 175 deny ip 192.168.191.0 0.0.0.255 192.168.192.0 0.0.0.255
access-list 175 deny ip 192.168.191.0 0.0.0.255 192.168.193.0 0.0.0.255
access-list 175 deny ip 192.168.191.0 0.0.0.255 192.168.194.0 0.0.0.255
access-list 175 permit ip 192.168.191.0 0.0.0.255 any
!
!
!
route-map natornonat permit 1
match ip address 175
!
!
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end