Solved

Cisco ip nat and VPN clash

Posted on 2011-02-17
3
768 Views
Last Modified: 2012-05-11
Hey All,

We have an issue on two sites which we have now isolated to the same thing.

Bother of these are are split into two geopraqhical sites and have cisco 800 series routers doing a IPSEC tunnel between them.

Each site has a Windows 2008 server and exchange, generally in a one forest multiple child domain setup.

The issue we have is that the NAT rules that translate, say port 25, from external to internal server interefere with that port going over the VPN. Traffic not on a nat rule works fine over the VPN, for example pings, alternate ports etc.

I can telnet from Server A to Server B on port 587 (alternate SMTP port) and have everything working fine. If I telnet from Server A to Server B on port 25, the the SYN packet arrives from Server A, and Server B replies with a SYN,ACK but that packet never reaches Server A. If we remove the nat rule translating port 25 externally to internally this packet now reaches back to source over the IPSEC VPN and everything works fine.

So I'm guessing my NAT rules are not written correctly.

Some configs for you all:

Crypto Map setups:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key XXXXXXXXX address NNN.NNN.242.165 no-xauth
!
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
 set peer NNN.NNN.242.165
 set transform-set aes-sha-transform
 set pfs group2
 match address acl_vpn

Interface Configs:

interface Vlan1
 ip address 172.17.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly

interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname AAAAAA
 ppp chap password 0 XXXXXX
 ppp pap sent-username AAAAAA password 0 XXXXXX
 crypto map aesmap

ACL Configs:

ip nat pool apool NNN.NNN.131.166 NNN.NNN.131.166 netmask 255.255.255.252
ip nat inside source static tcp 172.17.5.2 1723 interface Dialer0 1723
ip nat inside source static tcp 172.17.5.2 80 interface Dialer0 80
ip nat inside source static tcp 172.17.5.2 25 interface Dialer0 25
ip nat inside source static tcp 172.17.5.2 3389 interface Dialer0 3389
ip nat inside source static tcp 172.17.5.2 3101 interface Dialer0 3101
ip nat inside source static tcp 172.17.5.2 143 interface Dialer0 143
ip nat inside source static tcp 172.17.5.2 110 interface Dialer0 110
ip nat inside source static tcp 172.17.5.2 443 interface Dialer0 443
ip nat inside source route-map amap pool apool overload
!
ip access-list extended NAT
 permit ip any any
ip access-list extended acl_vpn
 permit ip 172.17.5.0 0.0.0.255 172.17.4.0 0.0.0.255

access-list 1 permit 172.17.5.0 0.0.0.255
access-list 102 deny   ip 172.17.5.0 0.0.0.255 172.17.4.0 0.0.0.255
access-list 102 permit ip 172.17.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map amap permit 10
 match ip address 102

0
Comment
Question by:michaeljcarmody
3 Comments
 
LVL 1

Accepted Solution

by:
rkrug8421 earned 250 total points
ID: 34922973
You need to use a route-map with your "ip nat inside" command.  for example:


ip access-list extended server-ACL-NAT
 ! Deny traffic from the server to the VPN remote:
 deny ip host 172.17.5.2 172.17.4.0 0.0.0.255
 ! Permit everything else
 permit ip host 172.17.5.2 any

route-map server-RM-NAT permit 10
 match ip address server-ACL-NAT
!
route-map server-RM-NAT deny 20

! The route-map should limit NAT to traffic matched by the above ACL:
ip nat inside source static 172.17.5.2 interface Dialer0  route-map server-RM-NAT

Do this on both routers, assuming your users use a different outside IP address.

0
 
LVL 33

Expert Comment

by:digitap
ID: 35187523
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now