dual internet, ezvpn remote and server with NAT

Unanswered Question
Feb 25th, 2007

I have c1811 with two Internet interfaces NATed with route-maps. Both outside interfaces have ezvpn remote and server configured. ezvpn remote works well but VPN clients cannot user the Easy VPN server because the traffic is being NATed even though I denied it in route-map's acl (172.*.*.0/24):

interface FastEthernet0

...

ip access-group FW1 in

ip verify unicast reverse-path

ip nat outside

ip inspect INS1 out

ip virtual-reassembly

duplex auto

speed auto

crypto map CMAP_1

crypto ipsec client ezvpn EZVPN1

interface Dialer0

ip address negotiated

ip access-group FW2 in

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

...

crypto map CMAP_1

crypto ipsec client ezvpn EZVPN2

interface Vlan1

ip address 192.168.1.0 255.255.255.0

ip access-group FWLAN in

ip nat inside

ip inspect INS2 in

ip virtual-reassembly

ip tcp adjust-mss 1452

crypto ipsec client ezvpn EZVPN1 inside

crypto ipsec client ezvpn EZVPN2 inside

ip nat inside source route-map INT2_RMAP interface Dialer0 overload

ip nat inside source route-map INT1_RMAP interface FastEthernet0 overload

route-map INT2_RMAP permit 1

match ip address NAT2INT2

match interface Dialer0

!

route-map INT2_RMAP permit 1

match ip address NAT2INT1

match interface FastEthernet0

ip access-list extended NAT2INT2

deny ip 192.168.1.0 0.0.0.255 172.1.20.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended NAT2INT2

deny ip 192.168.1.0 0.0.0.255 172.1.20.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

sh ip nat session says:

Total active translations: 35 (0 static, 35 dynamic; 35 extended)

Outside interfaces:

FastEthernet0, Dialer0, Virtual-Access2

Inside interfaces:

Vlan1

Hits: 23452 Misses: 410

CEF Translated packets: 22922, CEF Punted packets: 971

Expired translations: 604

Dynamic mappings:

-- Inside Source

[Id: 5] access-list internet-list interface Dialer0 refcount 25

[Id: 4] access-list internet-list interface FastEthernet0 refcount 0

[Id: 2] route-map INT1_RMAP interface Dialer0 refcount 0

[Id: 3] route-map INT1_RMAP interface FastEthernet0 refcount 0

I have identified with debug NAT that the VPN Client addresses (172.1.20.0/24) NAT-ed by ID:4 or ID:5 depending on routing but I do not know what "internet-list" means.

Thanks for help in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion