Cisco ip nat and VPN clash

Posted on 2011-02-17
Last Modified: 2012-05-11
Hey All,

We have an issue on two sites which we have now isolated to the same thing.

Bother of these are are split into two geopraqhical sites and have cisco 800 series routers doing a IPSEC tunnel between them.

Each site has a Windows 2008 server and exchange, generally in a one forest multiple child domain setup.

The issue we have is that the NAT rules that translate, say port 25, from external to internal server interefere with that port going over the VPN. Traffic not on a nat rule works fine over the VPN, for example pings, alternate ports etc.

I can telnet from Server A to Server B on port 587 (alternate SMTP port) and have everything working fine. If I telnet from Server A to Server B on port 25, the the SYN packet arrives from Server A, and Server B replies with a SYN,ACK but that packet never reaches Server A. If we remove the nat rule translating port 25 externally to internally this packet now reaches back to source over the IPSEC VPN and everything works fine.

So I'm guessing my NAT rules are not written correctly.

Some configs for you all:

Crypto Map setups:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key XXXXXXXXX address NNN.NNN.242.165 no-xauth
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
 set peer NNN.NNN.242.165
 set transform-set aes-sha-transform
 set pfs group2
 match address acl_vpn

Interface Configs:

interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly

interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname AAAAAA
 ppp chap password 0 XXXXXX
 ppp pap sent-username AAAAAA password 0 XXXXXX
 crypto map aesmap

ACL Configs:

ip nat pool apool NNN.NNN.131.166 NNN.NNN.131.166 netmask
ip nat inside source static tcp 1723 interface Dialer0 1723
ip nat inside source static tcp 80 interface Dialer0 80
ip nat inside source static tcp 25 interface Dialer0 25
ip nat inside source static tcp 3389 interface Dialer0 3389
ip nat inside source static tcp 3101 interface Dialer0 3101
ip nat inside source static tcp 143 interface Dialer0 143
ip nat inside source static tcp 110 interface Dialer0 110
ip nat inside source static tcp 443 interface Dialer0 443
ip nat inside source route-map amap pool apool overload
ip access-list extended NAT
 permit ip any any
ip access-list extended acl_vpn
 permit ip

access-list 1 permit
access-list 102 deny   ip
access-list 102 permit ip any
dialer-list 1 protocol ip permit
route-map amap permit 10
 match ip address 102

Question by:michaeljcarmody

Accepted Solution

rkrug8421 earned 250 total points
ID: 34922973
You need to use a route-map with your "ip nat inside" command.  for example:

ip access-list extended server-ACL-NAT
 ! Deny traffic from the server to the VPN remote:
 deny ip host
 ! Permit everything else
 permit ip host any

route-map server-RM-NAT permit 10
 match ip address server-ACL-NAT
route-map server-RM-NAT deny 20

! The route-map should limit NAT to traffic matched by the above ACL:
ip nat inside source static interface Dialer0  route-map server-RM-NAT

Do this on both routers, assuming your users use a different outside IP address.

LVL 33

Expert Comment

ID: 35187523
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 60
configure ASA Vlan Interface 14 70
Running a 2nd company from the same location 3 58
Home wifi - Does it matter what router? 9 55
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question