Cisco ip nat and VPN clash

Posted on 2011-02-17
Last Modified: 2012-05-11
Hey All,

We have an issue on two sites which we have now isolated to the same thing.

Bother of these are are split into two geopraqhical sites and have cisco 800 series routers doing a IPSEC tunnel between them.

Each site has a Windows 2008 server and exchange, generally in a one forest multiple child domain setup.

The issue we have is that the NAT rules that translate, say port 25, from external to internal server interefere with that port going over the VPN. Traffic not on a nat rule works fine over the VPN, for example pings, alternate ports etc.

I can telnet from Server A to Server B on port 587 (alternate SMTP port) and have everything working fine. If I telnet from Server A to Server B on port 25, the the SYN packet arrives from Server A, and Server B replies with a SYN,ACK but that packet never reaches Server A. If we remove the nat rule translating port 25 externally to internally this packet now reaches back to source over the IPSEC VPN and everything works fine.

So I'm guessing my NAT rules are not written correctly.

Some configs for you all:

Crypto Map setups:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key XXXXXXXXX address NNN.NNN.242.165 no-xauth
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
 set peer NNN.NNN.242.165
 set transform-set aes-sha-transform
 set pfs group2
 match address acl_vpn

Interface Configs:

interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly

interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname AAAAAA
 ppp chap password 0 XXXXXX
 ppp pap sent-username AAAAAA password 0 XXXXXX
 crypto map aesmap

ACL Configs:

ip nat pool apool NNN.NNN.131.166 NNN.NNN.131.166 netmask
ip nat inside source static tcp 1723 interface Dialer0 1723
ip nat inside source static tcp 80 interface Dialer0 80
ip nat inside source static tcp 25 interface Dialer0 25
ip nat inside source static tcp 3389 interface Dialer0 3389
ip nat inside source static tcp 3101 interface Dialer0 3101
ip nat inside source static tcp 143 interface Dialer0 143
ip nat inside source static tcp 110 interface Dialer0 110
ip nat inside source static tcp 443 interface Dialer0 443
ip nat inside source route-map amap pool apool overload
ip access-list extended NAT
 permit ip any any
ip access-list extended acl_vpn
 permit ip

access-list 1 permit
access-list 102 deny   ip
access-list 102 permit ip any
dialer-list 1 protocol ip permit
route-map amap permit 10
 match ip address 102

Question by:michaeljcarmody
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

rkrug8421 earned 250 total points
ID: 34922973
You need to use a route-map with your "ip nat inside" command.  for example:

ip access-list extended server-ACL-NAT
 ! Deny traffic from the server to the VPN remote:
 deny ip host
 ! Permit everything else
 permit ip host any

route-map server-RM-NAT permit 10
 match ip address server-ACL-NAT
route-map server-RM-NAT deny 20

! The route-map should limit NAT to traffic matched by the above ACL:
ip nat inside source static interface Dialer0  route-map server-RM-NAT

Do this on both routers, assuming your users use a different outside IP address.

LVL 33

Expert Comment

ID: 35187523
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question