• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 798
  • Last Modified:

Cisco ip nat and VPN clash

Hey All,

We have an issue on two sites which we have now isolated to the same thing.

Bother of these are are split into two geopraqhical sites and have cisco 800 series routers doing a IPSEC tunnel between them.

Each site has a Windows 2008 server and exchange, generally in a one forest multiple child domain setup.

The issue we have is that the NAT rules that translate, say port 25, from external to internal server interefere with that port going over the VPN. Traffic not on a nat rule works fine over the VPN, for example pings, alternate ports etc.

I can telnet from Server A to Server B on port 587 (alternate SMTP port) and have everything working fine. If I telnet from Server A to Server B on port 25, the the SYN packet arrives from Server A, and Server B replies with a SYN,ACK but that packet never reaches Server A. If we remove the nat rule translating port 25 externally to internally this packet now reaches back to source over the IPSEC VPN and everything works fine.

So I'm guessing my NAT rules are not written correctly.

Some configs for you all:

Crypto Map setups:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key XXXXXXXXX address NNN.NNN.242.165 no-xauth
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
crypto map aesmap 10 ipsec-isakmp
 set peer NNN.NNN.242.165
 set transform-set aes-sha-transform
 set pfs group2
 match address acl_vpn

Interface Configs:

interface Vlan1
 ip address
 ip nat inside
 ip virtual-reassembly

interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname AAAAAA
 ppp chap password 0 XXXXXX
 ppp pap sent-username AAAAAA password 0 XXXXXX
 crypto map aesmap

ACL Configs:

ip nat pool apool NNN.NNN.131.166 NNN.NNN.131.166 netmask
ip nat inside source static tcp 1723 interface Dialer0 1723
ip nat inside source static tcp 80 interface Dialer0 80
ip nat inside source static tcp 25 interface Dialer0 25
ip nat inside source static tcp 3389 interface Dialer0 3389
ip nat inside source static tcp 3101 interface Dialer0 3101
ip nat inside source static tcp 143 interface Dialer0 143
ip nat inside source static tcp 110 interface Dialer0 110
ip nat inside source static tcp 443 interface Dialer0 443
ip nat inside source route-map amap pool apool overload
ip access-list extended NAT
 permit ip any any
ip access-list extended acl_vpn
 permit ip

access-list 1 permit
access-list 102 deny   ip
access-list 102 permit ip any
dialer-list 1 protocol ip permit
route-map amap permit 10
 match ip address 102

1 Solution
You need to use a route-map with your "ip nat inside" command.  for example:

ip access-list extended server-ACL-NAT
 ! Deny traffic from the server to the VPN remote:
 deny ip host
 ! Permit everything else
 permit ip host any

route-map server-RM-NAT permit 10
 match ip address server-ACL-NAT
route-map server-RM-NAT deny 20

! The route-map should limit NAT to traffic matched by the above ACL:
ip nat inside source static interface Dialer0  route-map server-RM-NAT

Do this on both routers, assuming your users use a different outside IP address.

This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now