Solved

Santiy Check setting up Inbound NAT and excluding from VPN traffic.

Posted on 2008-10-20
5
807 Views
Last Modified: 2012-05-05
Folks,

We have a customer with an 1841 in their head office with 800 series boxes in site offices.  All advanced IP based IOS.

When setting up the 1841 we get internet access fine, and get all the VPN's working a treat... no problems thus far.  However, when we configured inbound NAT/PAT translations we end up not being able to pass the equivalent ports/traffic across the VPN.  For example, SMTP email is fed to the main office to an Exchange 2k3 box which then routes emails for the branch offices by SMTP over VPN's to sub-Exchange boxes... but the traffic gets blocked in that we cannot connect to the SMTP server in the main site, from the remote offices - but the main site can connect to the remote SMTP servers in the site offices with no problems.

On checking the WWW for this issue, it became clear we had an issue with correct routing of packets due to combined overloading and NAT/PAT'ing of the same WAN interface.... so we've changed our config to the following one.  This cannot be tested inhouse as the box is to be sent to our client to try out, but we just wanted to sanity check it for anything obvious.

Thanks in advance.

0
Comment
Question by:1stopit
  • 2
5 Comments
 

Author Comment

by:1stopit
ID: 22756691


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $ecret
!
no aaa new-model
!
resource policy
!
ip cef
!
!
!
!
ip domain name domain.co.uk
!
!
crypto pki trustpoint TP-self-signed-3290162110
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3290162110
 revocation-check none
 rsakeypair TP-self-signed-3290162110
!
!
crypto pki certificate chain TP-self-signed-3290162110
 certificate self-signed 01
 

      << CERTIFICATE DETAILS >>


  quit
username admin privilege 15 secret 5 $ecret
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key q1w2e3r4t5y6 address a.b.c.d
crypto isakmp key Q1W2E3R4T5Y6 address e.f.g.h
crypto isakmp key q1w2e3r4t5y6 address i.j.k.l
crypto isakmp key Q1W2E3R4T5Y6 address m.n.o.p
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP_1 1 ipsec-isakmp
 description VPN1
 set peer a.b.c.d
 set transform-set ESP-3DES-SHA
 match address 101
crypto map CMAP_1 2 ipsec-isakmp
 description VPN2
 set peer e.f.g.h
 set transform-set ESP-3DES-SHA
 match address 102
crypto map CMAP_1 3 ipsec-isakmp
 description VPN3
 set peer i.j.k.l
 set transform-set ESP-3DES-SHA
 match address 103
crypto map CMAP_1 4 ipsec-isakmp
 description VPN4
 set peer m.n.o.p
 set transform-set ESP-3DES-SHA
 match address 104
!
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$
 ip address 192.168.191.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $ES_WAN$
 ip address q.r.s.t 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
 crypto map CMAP_1
!
ip route 0.0.0.0 0.0.0.0 u.v.w.x
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 8079
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map natornonat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.191.250 25 q.r.s.t 25 extendable
ip nat inside source static tcp 192.168.191.243 88 q.r.s.t 88 extendable
ip nat inside source static tcp 192.168.191.242 443 q.r.s.t 443 extendable
ip nat inside source static tcp 192.168.191.250 3389 q.r.s.t 3389 extendable
ip nat inside source static tcp 192.168.191.243 8888 q.r.s.t 8888 extendable
!
access-list 101 permit ip 192.168.191.0 0.0.0.255 192.168.194.0 0.0.0.255
access-list 102 permit ip 192.168.191.0 0.0.0.255 192.168.192.0 0.0.0.255
access-list 103 permit ip 192.168.191.0 0.0.0.255 192.168.193.0 0.0.0.255
access-list 104 permit ip 192.168.191.0 0.0.0.255 10.133.133.0 0.0.0.255
access-list 175 deny   ip 192.168.191.0 0.0.0.255 192.168.192.0 0.0.0.255
access-list 175 deny   ip 192.168.191.0 0.0.0.255 192.168.193.0 0.0.0.255
access-list 175 deny   ip 192.168.191.0 0.0.0.255 192.168.194.0 0.0.0.255
access-list 175 permit ip 192.168.191.0 0.0.0.255 any
!
!
!
route-map natornonat permit 1
 match ip address 175
!
!
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 22763648
Do your remote office Exchange servers use the private or public IP address of the main site Exchange server?  If it is using the public IP address, try reconfiguring the remote office Exchange server(s) to reference the private IP address of the main site Exchange server and see if that helps...
0
 

Author Comment

by:1stopit
ID: 22993659
All servers communicate over VPN's using private IP's only.

To recap the issue... VPN traffic in itself routes fine... only traffic inbound to central 1841 (config as given) from remote 800 boxes using any ports which are PAT'd from internet to servers behind 1841 on main site cannot flow.

ie:  Go to remote server (behind a 800) and telnet to main exchange server on port 25 (SMTP) over VPN and we get black screen and flashing cursor... so server has picked up connection request... but nothing more.  If we remove the inbound PAT from 1841's internet side to main Exchange box on main site... connection attempt works fine.  Therefore I suspect return packets from server are being NAT'd out rather than returned back over VPN.

Can't see why though.

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22993834
Use a route-map on the static statements to only NAT when not traversing the VPN:

ip access-list ext static-no-nat
deny ip any 192.168.192.0 0.0.0.255
deny ip any 192.168.193.0 0.0.0.255
deny ip any 192.168.194.0 0.0.0.255
permit ip any any

route-map static-no-nat permit 10
 match ip address static-no-nat

no ip nat inside source static tcp 192.168.191.250 25 q.r.s.t 25 extendable
ip nat inside source static tcp 192.168.191.250 25 q.r.s.t 25 route-map static-no-nat
...
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now