We help IT Professionals succeed at work.

NAT issue on site to site vpn's over cisco routers

Medium Priority
371 Views
Last Modified: 2012-05-12
Any connections from remote offices to main office where are servers are located, is blocked if it has a NAT rule setup for external to internal access.

Example:  Port 25 is PAT'd from outside interface to inside server address.  external access to 25 is fine.  Internal access from main network is fine.  Internal access through site to site vpn does not work.

Any help would be appreciated.  

Cisco routers with typical site to site vpn configuraiton.
Comment
Watch Question

Author

Commented:
Main Router Config

login as: hahnadmin
hahnadmin@192.168.255.252's password:

Hahn1841#wr t
Building configuration...

Current configuration : 12593 bytes
!
! Last configuration change at 22:18:54 EDT Tue Nov 1 2011 by hahnadmin
! NVRAM config last updated at 22:16:29 EDT Tue Nov 1 2011 by hahnadmin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Hahn1841
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.124-6.T.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen group radius local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name hahn.int
ip name-server 192.168.255.108
ip name-server 192.168.255.109
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect tcp idle-time 21600
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp timeout 10800
ip inspect name SDM_LOW citriximaclient
ip inspect name SDM_LOW citrix
!
!
crypto pki trustpoint TP-self-signed-1252328365
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1252328365
 revocation-check none
 rsakeypair TP-self-signed-1252328365
!
!

!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key ***** address 63.250.70.59 no-xauth
crypto isakmp key ***** address 63.250.70.75 no-xauth
crypto isakmp key ***** address 63.250.70.115 no-xauth
crypto isakmp key ***** address 63.250.83.131 no-xauth
crypto isakmp key ***** address 63.250.70.123 no-xauth
crypto isakmp key ***** address 206.221.227.51 no-xauth
crypto isakmp key ***** address 206.221.227.91 no-xauth
crypto isakmp key ***** address 206.221.227.83 no-xauth
crypto isakmp key ***** address 192.168.50.253 no-xauth
!
crypto isakmp client configuration group sysadmin
 key vpnclient
 pool SDM_POOL_1
 acl 100
!
crypto isakmp client configuration group remoteuser
 key vpnclient
 dns 192.168.255.108 192.168.255.109
 domain hahn.int
 pool vpnclient
 netmask 255.255.255.0
!
!
crypto ipsec transform-set remoteaccess esp-3des esp-sha-hmac
crypto ipsec transform-set site_to_site esp-aes 256 esp-sha-hmac
crypto ipsec transform-set akh esp-3des esp-md5-hmac
crypto ipsec transform-set AES256SHATRAN esp-aes 256 esp-sha-hmac
 mode transport
!
crypto dynamic-map remoteaccess 10
 set transform-set remoteaccess
 reverse-route
!
!
crypto map tunnels client authentication list userauthen
crypto map tunnels isakmp authorization list groupauthor
crypto map tunnels client configuration address respond
crypto map tunnels 30 ipsec-isakmp
 description Tunnel To Carmel
 set peer x.x.x.x
 set transform-set site_to_site
 match address CarmelVPN
crypto map tunnels 40 ipsec-isakmp
 description Tunnel to Real Carmel
 set peer x.x.x.x
 set transform-set site_to_site
 match address NewCarmelVPN
crypto map tunnels 50 ipsec-isakmp
 description Tunnel to Real Carmel
 set peer x.x.x.x
 set transform-set site_to_site
 match address FtWayneVPN
crypto map tunnels 60 ipsec-isakmp
 description Tunnel to Louisville
 set peer x.x.x.x
 set transform-set site_to_site
 match address Louisville
crypto map tunnels 70 ipsec-isakmp
 description Tunnel to Real Carmel
 set peer x.x.x.x
 set transform-set site_to_site
 match address ElkhartVPN
crypto map tunnels 80 ipsec-isakmp
 description Tunnel to Bristol
 set peer x.x.x.x
 set transform-set site_to_site
 match address BristolVPN
crypto map tunnels 90 ipsec-isakmp
 description Tunnel to Bristol
 set peer x.x.x.x
 set transform-set AES256SHATRAN
 match address LivoniaVPN
crypto map tunnels 65535 ipsec-isakmp dynamic remoteaccess
!
!
!
!
interface Tunnel1
 description GRE Tunnel to Livonia
 ip address 192.168.50.252 255.255.255.0
 shutdown
 tunnel source FastEthernet0/1
 tunnel destination x.x.x.x
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$$FW_INSIDE$
 bandwidth 3000
 ip address 192.168.255.252 255.255.255.0
 ip access-group 109 in
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address x.x.x.x 255.255.255.240
 ip access-group 111 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map tunnels
!
ip local pool vpnclient 192.168.100.0 192.168.100.255
ip route 0.0.0.0 0.0.0.0 206.221.225.49
ip route 10.7.255.0 255.255.255.0 192.168.255.253
ip route 192.168.250.0 255.255.255.0 192.168.255.253
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.255.13 23 206.x.x.x.x route-map nonat extendable
ip nat inside source static tcp 192.168.255.108 12489 x.x.x.x 12489 extendable
ip nat inside source static tcp 192.168.255.109 12490 x.x.x.x 12490 extendable
ip nat inside source static tcp 192.168.255.106 12491 x.x.x.x 12491 extendable
ip nat inside source static tcp 192.168.255.110 25 x.x.x.x 25 extendable
ip nat inside source static tcp 192.168.255.110 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.255.110 443 x.x.x.x 443 extendable
!
ip access-list extended BristolVPN
 permit ip 192.168.255.0 0.0.0.255 10.9.255.0 0.0.0.255
ip access-list extended CarmelVPN
 permit ip 192.168.255.0 0.0.0.255 10.3.255.0 0.0.0.255
ip access-list extended ElkhartVPN
 permit ip 192.168.255.0 0.0.0.255 10.15.255.0 0.0.0.255
ip access-list extended FtWayneVPN
 permit ip 192.168.255.0 0.0.0.255 10.12.255.0 0.0.0.255
ip access-list extended LIVGREVPN
 permit gre host 206.221.225.51 host 206.221.227.83
ip access-list extended LivoniaVPN
 permit ip 192.168.255.0 0.0.0.255 10.7.255.0 0.0.0.255
ip access-list extended Louisville
 permit ip 192.168.255.0 0.0.0.255 10.5.255.0 0.0.0.255
ip access-list extended NewCarmelVPN
 permit ip 192.168.255.0 0.0.0.255 10.6.255.0 0.0.0.255
ip access-list extended SupplyWorxVPN
 permit ip 192.168.255.0 0.0.0.255 10.4.255.0 0.0.0.255
ip access-list extended vpntunnels
!
logging trap debugging
logging 10.0.1.7
access-list 100 remark Cisco VPN Client ACL
access-list 100 permit ip 192.168.255.0 0.0.0.255 any
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.3.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.5.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.6.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.7.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.4.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.12.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.15.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 10.9.255.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 103 deny   ip 192.168.255.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 any
access-list 109 remark Inside access List
access-list 109 permit udp host 192.168.255.100 eq 1645 host 192.168.255.252
access-list 109 permit udp host 192.168.255.100 eq 1646 host 192.168.255.252
access-list 109 deny   ip host 255.255.255.255 any
access-list 109 deny   ip 127.0.0.0 0.255.255.255 any
access-list 109 permit ip any any
access-list 111 permit ip host 206.221.227.83 any
access-list 111 permit ip 10.9.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.6.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.15.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.12.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.3.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.7.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.4.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.16.0.0 0.0.255.255 192.168.255.0 0.0.0.255
access-list 111 permit tcp any host 206.221.225.54 eq smtp
access-list 111 permit tcp any host 206.221.225.54 eq 443
access-list 111 permit tcp any host 206.221.225.54 eq www
access-list 111 permit tcp any host 206.221.225.53 eq telnet
access-list 111 permit tcp any host 206.221.225.53 range 12489 12491
access-list 111 permit ahp any host 206.221.225.51
access-list 111 permit esp any host 206.221.225.51
access-list 111 permit udp any host 206.221.225.51 eq isakmp
access-list 111 permit udp any host 206.221.225.51 eq non500-isakmp
access-list 111 permit icmp any any
access-list 111 deny   ip 192.168.255.0 0.0.0.255 any
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any
access-list 111 deny   ip 192.168.0.0 0.0.255.255 any
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any
access-list 111 deny   ip host 255.255.255.255 any
access-list 111 deny   ip host 0.0.0.0 any
access-list 111 deny   ip any any log
no cdp run
!
!
!
route-map nonat permit 1
 match ip address 103
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 session-timeout 5000
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178696
ntp source FastEthernet0/0
ntp server 192.168.255.108
end

Hahn1841#

Author

Commented:
one of the remote configs

User Access Verification

Username: hahnadmin
Password:
HahnLouisvile871#wr t
Building configuration...

Current configuration : 6027 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname HahnLouisvile871
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.255.254
!
ip dhcp pool sdm-pool
   import all
   network 10.5.255.0 255.255.255.0
   default-router 10.5.255.254
   dns-server 192.168.255.108 192.168.255.109
   lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect tcp idle-time 21600
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tcp timeout 10800
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW streamworks
!
!
crypto pki trustpoint TP-self-signed-1324931980
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1324931980
 revocation-check none
 rsakeypair TP-self-signed-1324931980
!
!

!
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key x.x.x.x address x.x.x.x no-xauth
!
!
crypto ipsec transform-set site_to_site esp-aes 256 esp-sha-hmac
!
crypto map tunnels 10 ipsec-isakmp
 description Tunnel to Main site
 set peer x.x.x.x
 set transform-set site_to_site
 match address vpntunnels
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$
 ip address x.x.x.x1 255.255.255.248
 ip access-group 102 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map tunnels
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.5.255.254 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet4 overload
!
ip access-list extended vpntunnels
 permit ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
!
access-list 101 remark Inside ACL
access-list 101 deny   ip 63.250.70.56 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 permit ahp host x.x.x.x host 206.221.227.91
access-list 102 permit esp host x.x.x.x host 206.221.227.91
access-list 102 permit udp host x.x.x.x host 206.221.227.91 eq isakmp
access-list 102 permit udp host x.x.x.x host 206.221.227.91 eq non500-isakmp
access-list 102 permit ip 10.5.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 102 permit icmp any host x.x.x.x echo-reply
access-list 102 permit icmp any host x.x.x.x time-exceeded
access-list 102 permit icmp any host x.x.x.x unreachable
access-list 102 deny   ip 10.5.255.0 0.0.0.255 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark IPSec Nat Rule
access-list 103 deny   ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 103 deny   ip 10.5.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 10.5.255.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

HahnLouisvile871#
Commented:
Ah yep... I have had the exact same problem in the past.

On the ip nat statement, we use a route-map statement:
ip nat inside source static tcp 10.0.0.20 443 111.111.111.111 443 route-map RM_NO_NAT extendable

Open in new window


Then the route-map statement:
route-map RM_NO_NAT permit 10
match ip address ACL_NO_NAT

Open in new window


Then the ACL:
ip access-list extended ACL_NO_NAT
deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any

Open in new window


The ACL denies the traffic between 10.0.0.x and 10.0.1.x from the nat statement.

Commented:
More specifically in your case where you have:
ip nat inside source static tcp 192.168.255.110 25 x.x.x.x 25

Open in new window


You need to make it:
ip nat inside source static tcp 192.168.255.110 25 x.x.x.x 25 route-map nonat extendable

Open in new window

in the acl used for nat you must deny traffic destinated for vpn

Commented:
That would only affect the nat overload statement. You must use route map for port forward nat statements.

Author

Commented:
Thank you for your help.  We figured it out a few hours later, but this just confirms that it was the correct answer that we came up with.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.