Solved

Cisco 2600 NAT Router servicing VPN clients  - NAT rule breaks VPN access.

Posted on 2008-10-21
4
632 Views
Last Modified: 2012-05-05
See the attached config:
NAT works fine and VPN works fine until I add the following NAT statement:
ip nat inside source static tcp 172.17.2.209 12005 xxx.xxx.xxx.9 12005 extendable
What I need is for this port to be available either from the internet or from the VPN client.  Without the line, the VPN client can access the application, with the line the VPN client cannot access the application but the rest of the world can.  I need both to work.  This has not been a concern for the other ports so I have never noticed this until now.
I've gone over the config a dozen times, but I need a second set of eyes to help me figure this one out.  Thanks so much for any help sent this way!
version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ************

!

boot-start-marker

boot-end-marker

!

logging buffered 16000 debugging

no logging console guaranteed

no logging console

enable secret 5 ***************************************

enable password ***********************

!

memory-size iomem 25

clock timezone GMT -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login userauthen group radius

aaa authorization network groupauthor local 

aaa session-id common

ip subnet-zero

!

!

ip domain name ******************.***

ip name-server xxx.xxx.xxx.104

ip name-server xxx.xxx.xxx.105

ip name-server 172.17.2.2

ip name-server 172.17.2.19

!

ip flow-cache timeout active 1

ip cef

ip audit po max-events 100

!

!

username ****************** password 0 ********

username VPN password 0 ****************

!

! 

!

crypto isakmp policy 3

 encr 3des

 authentication pre-share

 group 2

crypto isakmp client configuration address-pool local vpnpool

!

crypto isakmp client configuration group HCVPN

 key 6DC2CBB3AB466429

 dns 172.17.2.2 172.17.2.19

 wins 172.17.2.5 172.17.2.3

 domain ********.***

 pool vpnpool

 acl 110

!

!

crypto ipsec transform-set HCset esp-3des esp-sha-hmac 

!

crypto dynamic-map dynmap 10

 set transform-set HCset 

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address initiate

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap 

!

!

!

interface Ethernet0

 ip address 172.17.2.251 255.255.255.0

 ip nat inside

 ip route-cache flow

 half-duplex

!

interface FastEthernet0

 ip address xxx.xxx.xxx.9 255.255.252.0

 ip nat outside

 ip route-cache flow

 speed auto

 crypto map clientmap

!

router eigrp 1

 auto-summary

!

ip local pool vpnpool 172.17.3.30 172.17.3.39

ip nat inside source route-map nonat interface FastEthernet0 overload

ip nat inside source static tcp 172.17.2.164 514 xxx.xxx.xxx.9 514 extendable

ip nat inside source static udp 172.17.2.164 514 xxx.xxx.xxx.9 514 extendable

ip nat inside source static tcp 172.17.2.164 69 xxx.xxx.xxx.9 69 extendable

ip nat inside source static udp 172.17.2.164 69 xxx.xxx.xxx.9 69 extendable

ip nat inside source static tcp 172.17.2.160 8160 xxx.xxx.xxx.9 8160 extendable

ip nat inside source static tcp 172.17.2.209 5120 xxx.xxx.xxx.9 5120 extendable

ip nat inside source static tcp 172.17.2.4 12005 xxx.xxx.xxx.9 12005 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1

no ip http server

no ip http secure-server

ip flow-export source FastEthernet0

ip flow-export destination xxx.xxx.xxx.122 2055

!

!

!

ip access-list extended Outbound

 permit icmp any any

 permit ip any any

logging history size 500

logging history emergencies

logging 172.17.2.164

logging xxx.xxx.xxx.122

access-list 110 permit ip 172.17.0.0 0.0.255.255 any

access-list 150 deny   ip 172.17.3.0 0.0.0.255 172.17.2.0 0.0.0.255

access-list 150 deny   ip 172.17.2.0 0.0.0.255 172.17.3.0 0.0.0.255

access-list 150 permit ip 172.17.3.0 0.0.0.255 any

access-list 150 permit ip 172.17.2.0 0.0.0.255 any

!

route-map nonat permit 10

 match ip address 150

!

snmp-server community WRHadmin7 RW

snmp-server community holland RO

snmp-server enable traps tty

radius-server host 172.17.2.2 auth-port 1645 acct-port 1646 key ********

!

line con 0

 password ********

line aux 0

line vty 0 4

 password ********

!

ntp clock-period 17179988

ntp peer xxx.xxx.xxx.1

ntp server xxx.xxx.xxx.104

ntp server xxx.xxx.xxx.105

end

Open in new window

0
Comment
Question by:Frank McCourry
  • 3
4 Comments
 
LVL 8

Author Comment

by:Frank McCourry
ID: 22767001
Meant to post 500 points on this one.  Danged mouse....
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22767853
Try using a route-map with the static statement to deny translation for VPN client traffic to the server.

For example:

access-list 101 deny ip any 172.17.3.0 0.0.0.255
access-list 101 permit ip any any

route-map no-vpn-nat permit 10
 match ip address 101

ip nat inside source static tcp 172.17.2.209 12005 xxx.xxx.xxx.9 12005 route-map no-vpn-nat
0
 
LVL 8

Author Closing Comment

by:Frank McCourry
ID: 31508247
Sometimes the best solutions are thee simplest!  Thanks!  

0
 
LVL 8

Author Comment

by:Frank McCourry
ID: 22768735
BTW for those searching later, the only thing I realy had to do was add the line: ip nat inside source static tcp 172.17.2.209 12005 xxx.xxx.xxx.9 12005 route-map no-vpn-nat, as I already had a nonat route-map defined with acl 150
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Backup UPS - email alert 3 86
Network Config 9 59
Root STP in Cisco switch maintenance 2 25
fiber and Gig ports on 3650 5 14
This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now