Couple Questions

Unanswered Question
Jan 30th, 2007

A couple questions.

If i go to mail.domain.com.au externally i reach the required page.

If i go mail.domain.com.au Internally, I get a DNS error.

I could just add a new DNS Zone, however I want to add it in the router so if I type the external domain locally I can reach the required page.

Another question ...

I have a port forward setup on the router

ip nat inside source static tcp 10.0.2.61 3389 150.101.xxx.xx 3389 extendable

Now when i connect via VPN and try and remote desktop to 10.0.2.61 ... it doesn't work.

However if i disconnect from the vpn and connect via RDP remotely (150.101.xxx.xx) it connects.

When connected via VPN, i can connect to everything via RDP except the IP Address which is in the port forward rule.

My VPN IP Address is 10.0.4.x

How can i get by this?

Help Appreciated

here is some of the config ...

!

ip local pool ippool 10.0.4.1 10.0.4.50

ip classless

ip route 0.0.0.0 0.0.0.0 150.101.xxx.xx

no ip http server

ip http access-class 90

no ip http secure-server

ip nat inside source list nat-allowed interface Vlan13 overload

ip nat inside source static tcp 10.0.2.61 25 150.101.xxx.xx 25 extendable

ip nat inside source static tcp 10.0.2.61 80 150.101.xxx.xx 80 extendable

ip nat inside source static tcp 10.0.2.82 443 150.101.xxx.xx 443 extendable

ip nat inside source static tcp 10.0.2.61 3389 150.101.xxx.xx 3389 extendable

!

!

!

ip access-list standard snmp-allow

permit 10.0.2.0 0.0.0.255

permit 10.0.3.0 0.0.0.255

permit 10.0.4.0 0.0.0.255

!

ip access-list extended allowed-from-internet

permit tcp any host 150.101.xxx.xx eq smtp

permit tcp any host 150.101.xxx.xx eq www

permit tcp any host 150.101.xxx.xx eq 22

permit udp any host 150.101.xxx.xx eq non500-isakmp

permit udp any host 150.101.xxx.xx eq isakmp

deny ip any any

ip access-list extended bogons-and-netbios

remark allow VPN clients full access

permit ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255

permit ip 10.0.3.0 0.0.0.255 10.0.4.0 0.0.0.255

remark deny all NetBIOS leaving the network

deny tcp 10.0.2.0 0.0.0.255 range 135 139 any

deny udp 10.0.2.0 0.0.0.255 range 135 netbios-ss any

deny tcp 10.0.2.0 0.0.0.255 any range 135 139

deny udp 10.0.2.0 0.0.0.255 any range 135 netbios-ss

permit ip any any

ip access-list extended nat-allowed

deny ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255

deny ip 10.0.3.0 0.0.0.255 10.0.4.0 0.0.0.255

deny tcp 10.0.2.0 0.0.0.255 range 135 139 any

deny udp 10.0.2.0 0.0.0.255 range 135 netbios-ss any

deny tcp 10.0.2.0 0.0.0.255 any range 135 139

deny udp 10.0.2.0 0.0.0.255 any range 135 netbios-ss

permit ip 10.0.2.0 0.0.0.255 any

permit ip 10.0.3.0 0.0.0.255 any

ip access-list extended vpn-split-tunnel

permit ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255

permit ip 10.0.3.0 0.0.0.255 10.0.4.0 0.0.0.255

logging trap debugging

access-list 90 permit 10.0.2.0 0.0.0.255

access-list 90 permit 10.0.3.0 0.0.0.255

access-list 90 permit 10.0.4.0 0.0.0.255

access-list 90 deny any

access-list 142 permit icmp any any

dialer-list 1 protocol ip permit

snmp-server community thinkSNMP RO snmp-allow

snmp-server location xxxxx

snmp-server enable traps tty

snmp-server host 10.0.2.62 version 2c thinkSNMP aaa_server ipsec

no cdp run

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
nyr.hakeem-habeeb Fri, 02/02/2007 - 08:24

Hi

its highly possible that reverse traffic from the Server 10.0.2.61 is being NATed back to the VPN Client, hence failing the session.

Please rate if this helps.

Thanks

HH

nyr.hakeem-habeeb Sun, 02/04/2007 - 19:12

Hi

you could give the server a secondary IP, then when ur vpn is established ... connect to the new IP instead.

You can assign the sec IP under Advanced TCP/IP setting.

Please rate if this helps.

Thanks

HH

duckmiester Tue, 02/06/2007 - 13:52

Is there anything in which I could do on the router itself?

If so, how would I go about that?

Or would it not be recommended?

Thanks for your help!

nyr.hakeem-habeeb Wed, 02/07/2007 - 04:56

Hi

you could configure your VPN Server using an IPSec virtual tunnel interface. As only traffic from the transversing inside and outside interfaces would be NATed, hence traffic destined for the VPN client wont be prone to these NAT rules. Follow the link below to a config example section title is "Easy VPN with an IPsec Virtual Tunnel Interface: Example "

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a008055c37a.html#wp1179198

Hope this helps.

Thanks

HH

Actions

This Discussion