Solved

Cisco 2600 NAT Router servicing VPN clients  - NAT rule breaks VPN access.

Posted on 2008-10-21
4
665 Views
Last Modified: 2012-05-05
See the attached config:
NAT works fine and VPN works fine until I add the following NAT statement:
ip nat inside source static tcp 172.17.2.209 12005 xxx.xxx.xxx.9 12005 extendable
What I need is for this port to be available either from the internet or from the VPN client.  Without the line, the VPN client can access the application, with the line the VPN client cannot access the application but the rest of the world can.  I need both to work.  This has not been a concern for the other ports so I have never noticed this until now.
I've gone over the config a dozen times, but I need a second set of eyes to help me figure this one out.  Thanks so much for any help sent this way!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ************
!
boot-start-marker
boot-end-marker
!
logging buffered 16000 debugging
no logging console guaranteed
no logging console
enable secret 5 ***************************************
enable password ***********************
!
memory-size iomem 25
clock timezone GMT -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen group radius
aaa authorization network groupauthor local 
aaa session-id common
ip subnet-zero
!
!
ip domain name ******************.***
ip name-server xxx.xxx.xxx.104
ip name-server xxx.xxx.xxx.105
ip name-server 172.17.2.2
ip name-server 172.17.2.19
!
ip flow-cache timeout active 1
ip cef
ip audit po max-events 100
!
!
username ****************** password 0 ********
username VPN password 0 ****************
!
! 
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local vpnpool
!
crypto isakmp client configuration group HCVPN
 key 6DC2CBB3AB466429
 dns 172.17.2.2 172.17.2.19
 wins 172.17.2.5 172.17.2.3
 domain ********.***
 pool vpnpool
 acl 110
!
!
crypto ipsec transform-set HCset esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set HCset 
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
!
!
interface Ethernet0
 ip address 172.17.2.251 255.255.255.0
 ip nat inside
 ip route-cache flow
 half-duplex
!
interface FastEthernet0
 ip address xxx.xxx.xxx.9 255.255.252.0
 ip nat outside
 ip route-cache flow
 speed auto
 crypto map clientmap
!
router eigrp 1
 auto-summary
!
ip local pool vpnpool 172.17.3.30 172.17.3.39
ip nat inside source route-map nonat interface FastEthernet0 overload
ip nat inside source static tcp 172.17.2.164 514 xxx.xxx.xxx.9 514 extendable
ip nat inside source static udp 172.17.2.164 514 xxx.xxx.xxx.9 514 extendable
ip nat inside source static tcp 172.17.2.164 69 xxx.xxx.xxx.9 69 extendable
ip nat inside source static udp 172.17.2.164 69 xxx.xxx.xxx.9 69 extendable
ip nat inside source static tcp 172.17.2.160 8160 xxx.xxx.xxx.9 8160 extendable
ip nat inside source static tcp 172.17.2.209 5120 xxx.xxx.xxx.9 5120 extendable
ip nat inside source static tcp 172.17.2.4 12005 xxx.xxx.xxx.9 12005 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
no ip http server
no ip http secure-server
ip flow-export source FastEthernet0
ip flow-export destination xxx.xxx.xxx.122 2055
!
!
!
ip access-list extended Outbound
 permit icmp any any
 permit ip any any
logging history size 500
logging history emergencies
logging 172.17.2.164
logging xxx.xxx.xxx.122
access-list 110 permit ip 172.17.0.0 0.0.255.255 any
access-list 150 deny   ip 172.17.3.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 150 deny   ip 172.17.2.0 0.0.0.255 172.17.3.0 0.0.0.255
access-list 150 permit ip 172.17.3.0 0.0.0.255 any
access-list 150 permit ip 172.17.2.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 150
!
snmp-server community WRHadmin7 RW
snmp-server community holland RO
snmp-server enable traps tty
radius-server host 172.17.2.2 auth-port 1645 acct-port 1646 key ********
!
line con 0
 password ********
line aux 0
line vty 0 4
 password ********
!
ntp clock-period 17179988
ntp peer xxx.xxx.xxx.1
ntp server xxx.xxx.xxx.104
ntp server xxx.xxx.xxx.105
end

Open in new window

0
Comment
Question by:Frank McCourry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22767001
Meant to post 500 points on this one.  Danged mouse....
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22767853
Try using a route-map with the static statement to deny translation for VPN client traffic to the server.

For example:

access-list 101 deny ip any 172.17.3.0 0.0.0.255
access-list 101 permit ip any any

route-map no-vpn-nat permit 10
 match ip address 101

ip nat inside source static tcp 172.17.2.209 12005 xxx.xxx.xxx.9 12005 route-map no-vpn-nat
0
 
LVL 9

Author Closing Comment

by:Frank McCourry
ID: 31508247
Sometimes the best solutions are thee simplest!  Thanks!  

0
 
LVL 9

Author Comment

by:Frank McCourry
ID: 22768735
BTW for those searching later, the only thing I realy had to do was add the line: ip nat inside source static tcp 172.17.2.209 12005 xxx.xxx.xxx.9 12005 route-map no-vpn-nat, as I already had a nonat route-map defined with acl 150
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question