07-07-2007 10:29 PM - edited 03-09-2019 06:20 PM
I try to configure a c871 to connect to HQ via ezvpn clien and accept VPN Client connection. I did everyting exactly what tecribed in this document:
Ezvpn client is working well but th VPN clinets cannot reach the subnet behind the router because the backward traffic is being NATed:
Pro Inside global Inside local Outside local Outside global
icmp 84.233.160.110:1280 192.168.22.2:1280 172.1.22.2:1280 172.1.22.2:1280
192.168.22.0/24 is the LAN behind the router and 172.1.22.2 is one of the VPN Clients pool.
This happens even if I dele all "ip nat inside source" statements.
One more info:
#sh ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
FastEthernet4
Inside interfaces:
Dot11Radio0, Vlan1, Virtual-Dot11Radio0
Hits: 2115 Misses: 0
CEF Translated packets: 2113, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 2] access-list internet-list interface FastEthernet4 refcount 1
Queued Packets: 0
Please give some idea becaose I have read a lot and try almost everyting (latest IOS, another router) and could not find solution.
THX
07-08-2007 12:24 AM
Statics shows that there is a dynamic nat rule.
Are there no nat commands on the router now?
If there are any can you try deleting them and check.
If you already delete all the nat commands, then try clearing all the translations as below
Remove nat from interfaces first(no ip nat inside/outside)
then give clear ip nat translations *
(this will delete all the dynamic nat translations)
enable nat again on the interfaces
HTH,
Radhika
07-08-2007 01:16 AM
Thanks Radhika,
I did what you suggested.
I have deleted all dynamic nat rule:
no ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
no ip nat inside source static tcp 192.168.22.2 22 {router public IP} 2122 route-map SDM_RMAP_2 extendable
disabled ip nat inside/outside and cleared NAT table.
After that I connected a VPN Client and the result is the same:
sh ip nat tra
Pro Inside global Inside local Outside local Outside global
tcp {router public IP}:1 192.168.22.15:80 172.1.22.1:3368 172.1.22.1:3368
icmp {router public IP}:1024 192.168.22.15:1280 172.1.22.1:1280 172.1.22.1:1024
tcp {router public IP}:3389 192.168.22.15:3389 172.1.22.1:3367 172.1.22.1:3367
#sh ip nat statistics
Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Outside interfaces:
FastEthernet4
Inside interfaces:
Dot11Radio0, Vlan1, Virtual-Dot11Radio0
Hits: 27 Misses: 5
CEF Translated packets: 31, CEF Punted packets: 0
Expired translations: 5
Dynamic mappings:
-- Inside Source
[Id: 2] access-list internet-list interface FastEthernet4 refcount 1
Queued Packets: 0
07-08-2007 10:16 AM
I think its because of the ip local pool .. cli.
Does the ip range in the pool contain 192.168.22.15 ?
Then I think the nat might not be the problem because when the packet returns back then the nat ip is replaced with public ip.
Are you sure nat causing the problem?
Thanks,
Radhika
07-08-2007 12:20 PM
No, 192.168.22.15 is an IP connected to LAN (Vlan1). The local pool is 172.1.22.1-10.
I am not sure but I cannot imagine what else.
Why pacets are NAT-ed when there is no dynamic nat commands? And when I put them back I have denied 172.1.22.0/30 in the route-map acl.
Anyway, what is this dynamic NAT?
[Id: 2] access-list internet-list interface FastEthernet4 refcount 1
I do not have "internet-list" acl at all.
07-08-2007 10:47 PM
Can you send your config file?
Thanks,
Radhika
07-09-2007 06:13 AM
07-09-2007 06:31 AM
Was able to create ezvpn configuration on my setup and these are my findings
1.
On Ezvpn client config,if you have local-address interface then when you give sh ip nat statistics then this be shown as
internet-list interface name
2.
the dynamic entries will be created when you try to ping the inside network on the server from client's inside network.
This happends because the source ip changed to the ip that was assigned to the client.
Not sure why you were not able to ping inside network as it works fine to me.
Here are my configs. Please check out, it might help you.
Client Configuration -
connect manual
group china key mnbvcxz
local-address FastEthernet0/0
mode client
peer x.x.x.x[server ip]
xauth userid mode interactive
!
Server Configuration:-
Server configuration :-
crypto isakmp policy 55
hash md5
authentication pre-share
crypto isakmp keepalive 10
!
crypto isakmp client configuration group china
key mnbvcxz
pool dpool
acl 150 [ split tunnelling - anything going from inside to outside need not be natted]
!
!
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set 3des
reverse-route
!
!
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
HTH,
Radhika
07-09-2007 08:53 AM
Thanks, I will compare it to my config again.
The ezvpn tunnel is working fine from "server" router to client router and vica versa BUT the software clients trying to connect to the "client" router which has ezvpn server configured too, cannot reach the local network behind this router.
In this example:
The two subnets behind RouterA and RouterB can reach each other BUT the VPN Client cannot reach the subnet behind RouterA when it is connecting to its ezvpn server.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: