ezvpn client and server on same if and NAT

Unanswered Question
Jul 7th, 2007
User Badges:

I try to configure a c871 to connect to HQ via ezvpn clien and accept VPN Client connection. I did everyting exactly what tecribed in this document:


http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml


Ezvpn client is working well but th VPN clinets cannot reach the subnet behind the router because the backward traffic is being NATed:


Pro Inside global Inside local Outside local Outside global

icmp 84.233.160.110:1280 192.168.22.2:1280 172.1.22.2:1280 172.1.22.2:1280


192.168.22.0/24 is the LAN behind the router and 172.1.22.2 is one of the VPN Clients pool.


This happens even if I dele all "ip nat inside source" statements.


One more info:

#sh ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)

Outside interfaces:

FastEthernet4

Inside interfaces:

Dot11Radio0, Vlan1, Virtual-Dot11Radio0

Hits: 2115 Misses: 0

CEF Translated packets: 2113, CEF Punted packets: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 2] access-list internet-list interface FastEthernet4 refcount 1

Queued Packets: 0



Please give some idea becaose I have read a lot and try almost everyting (latest IOS, another router) and could not find solution.


THX

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dradhika Sun, 07/08/2007 - 00:24
User Badges:
  • Cisco Employee,

Statics shows that there is a dynamic nat rule.

Are there no nat commands on the router now?

If there are any can you try deleting them and check.

If you already delete all the nat commands, then try clearing all the translations as below

Remove nat from interfaces first(no ip nat inside/outside)

then give clear ip nat translations *

(this will delete all the dynamic nat translations)

enable nat again on the interfaces


HTH,

Radhika



eurogatebp Sun, 07/08/2007 - 01:16
User Badges:

Thanks Radhika,


I did what you suggested.


I have deleted all dynamic nat rule:

no ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

no ip nat inside source static tcp 192.168.22.2 22 {router public IP} 2122 route-map SDM_RMAP_2 extendable


disabled ip nat inside/outside and cleared NAT table.


After that I connected a VPN Client and the result is the same:


sh ip nat tra

Pro Inside global Inside local Outside local Outside global

tcp {router public IP}:1 192.168.22.15:80 172.1.22.1:3368 172.1.22.1:3368

icmp {router public IP}:1024 192.168.22.15:1280 172.1.22.1:1280 172.1.22.1:1024

tcp {router public IP}:3389 192.168.22.15:3389 172.1.22.1:3367 172.1.22.1:3367


#sh ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)

Outside interfaces:

FastEthernet4

Inside interfaces:

Dot11Radio0, Vlan1, Virtual-Dot11Radio0

Hits: 27 Misses: 5

CEF Translated packets: 31, CEF Punted packets: 0

Expired translations: 5

Dynamic mappings:

-- Inside Source

[Id: 2] access-list internet-list interface FastEthernet4 refcount 1

Queued Packets: 0


dradhika Sun, 07/08/2007 - 10:16
User Badges:
  • Cisco Employee,

I think its because of the ip local pool .. cli.


Does the ip range in the pool contain 192.168.22.15 ?


Then I think the nat might not be the problem because when the packet returns back then the nat ip is replaced with public ip.


Are you sure nat causing the problem?


Thanks,

Radhika


eurogatebp Sun, 07/08/2007 - 12:20
User Badges:

No, 192.168.22.15 is an IP connected to LAN (Vlan1). The local pool is 172.1.22.1-10.


I am not sure but I cannot imagine what else.

Why pacets are NAT-ed when there is no dynamic nat commands? And when I put them back I have denied 172.1.22.0/30 in the route-map acl.


Anyway, what is this dynamic NAT?

[Id: 2] access-list internet-list interface FastEthernet4 refcount 1

I do not have "internet-list" acl at all.




dradhika Sun, 07/08/2007 - 22:47
User Badges:
  • Cisco Employee,

Can you send your config file?


Thanks,

Radhika

eurogatebp Mon, 07/09/2007 - 06:13
User Badges:

Dear Radhika,


Pls fing the config attached.

I have put *.*.*. replaced the firs 3 decades of router public IP range.



Many Thanks!



Attachment: 
dradhika Mon, 07/09/2007 - 06:31
User Badges:
  • Cisco Employee,

Was able to create ezvpn configuration on my setup and these are my findings

1.

On Ezvpn client config,if you have local-address interface then when you give sh ip nat statistics then this be shown as

internet-list interface name


2.

the dynamic entries will be created when you try to ping the inside network on the server from client's inside network.

This happends because the source ip changed to the ip that was assigned to the client.


Not sure why you were not able to ping inside network as it works fine to me.

Here are my configs. Please check out, it might help you.



Client Configuration -

connect manual

group china key mnbvcxz

local-address FastEthernet0/0

mode client

peer x.x.x.x[server ip]

xauth userid mode interactive

!


Server Configuration:-

Server configuration :-

crypto isakmp policy 55

hash md5

authentication pre-share

crypto isakmp keepalive 10

!

crypto isakmp client configuration group china

key mnbvcxz

pool dpool

acl 150 [ split tunnelling - anything going from inside to outside need not be natted]

!

!

crypto ipsec transform-set 3des esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set 3des

reverse-route

!

!

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!


HTH,

Radhika

eurogatebp Mon, 07/09/2007 - 08:53
User Badges:

Thanks, I will compare it to my config again.


The ezvpn tunnel is working fine from "server" router to client router and vica versa BUT the software clients trying to connect to the "client" router which has ezvpn server configured too, cannot reach the local network behind this router.


In this example:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml


The two subnets behind RouterA and RouterB can reach each other BUT the VPN Client cannot reach the subnet behind RouterA when it is connecting to its ezvpn server.


Actions

This Discussion