Cisco router 2811, PAT and VPN

Unanswered Question
Sep 18th, 2007
User Badges:

Hi,

My configuration is as follows:

Central location, (ASA 5520) is connected with branch office running 2811 router via IPSec VPN. The router has a single IP address available so PAT is in place on outside interface. I have configured VPN tunnel with main office and it is functional. In the branch office network i have a server running services on 80,443 and 1352 ports. These server ports are being translated to outside router ip address. These services are accessible from the outside but when i try to access these ports on server through VPN tunnel, i get no response.

I know this is because i have static translation to outside interface for these ports. What i need to be able to do is to access server both from public and from corporate network on these ports. How can i configure router in order to achieve this? I have tried applying ip policy route-map command on inside interface and tried to redirect server traffic to loopback interface, but no success..

Here ir the relevant config of the router:

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3)


crypto isakmp policy 3

encr aes

hash md5

authentication pre-share

group 5

crypto isakmp key ******** address 198.67.x.x no-xauth

!

!

crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac

!

crypto map VPN_Tunnel 1 ipsec-isakmp

description Tunnel to HQ

set peer 198.67.x.x

set transform-set ESP-AES-MD5

match address Tunnel_Traffic

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$

ip address 192.168.46.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description Outside Interface

ip address 208.73.x.x 255.255.255.252

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map VPN_Tunnel

!

ip route 0.0.0.0 0.0.0.0 208.73.x.x

!

ip nat translation timeout 90

ip nat inside source static tcp 192.168.46.2 1352 interface FastEthernet0/1 1352

ip nat inside source static tcp 192.168.46.2 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.46.2 443 interface FastEthernet0/1 443

ip nat inside source route-map VPNTunnel interface FastEthernet0/1 overload

!

ip access-list extended Tunnel_Divert

remark This ACL diverts traffic to the VPN tunnel

deny ip 192.168.46.0 0.0.0.255 192.168.192.0 0.0.63.255

deny ip 192.168.46.0 0.0.0.255 140.85.0.0 0.0.255.255

deny ip 192.168.46.0 0.0.0.255 141.146.128.0 0.0.127.255

permit ip 192.168.46.0 0.0.0.255 any

ip access-list extended Tunnel_Traffic

remark This ACL allows the proper traffic through the tunnel

permit ip 192.168.46.0 0.0.0.255 192.168.192.0 0.0.63.255

permit ip 192.168.46.0 0.0.0.255 141.146.128.0 0.0.127.255

permit ip 192.168.46.0 0.0.0.255 140.85.0.0 0.0.255.255

!

route-map VPNTunnel permit 1

match ip address Tunnel_Divert

!

!

Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
lapascua06 Wed, 09/19/2007 - 19:17
User Badges:

Hi,


You are correct indeed. In NAT order of operation, static translation is the one considered first before dynamic translation. The no nat configuration mentioned by your route-map VPNTunnel is bypassed by the static translations for 80,443 and 1352 ports. The problem is that you cannot do policy nat (adding a route-map statement) if you are doing port redirection :


ip nat inside source static tcp 192.168.46.2 1352 interface FastEthernet0/1 1352

ip nat inside source static tcp 192.168.46.2 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.46.2 443 interface FastEthernet0/1 443


You can only do policy nat provided that your server 192.168.46.2 would have a dedicated ip address, example:


ip nat inside source static 192.168.46.2 208.73.x.2 route-map nonat

!

access-list 150 deny ip host 192.168.46.2 192.168.192.0 0.0.63.255

access-list 150 deny ip host 192.168.46.2 141.146.128.0 0.0.127.255

access-list 150 deny ip host 192.168.46.2 140.85.0.0 0.0.255.255

access-list 150 permit ip host 192.168.46.2 any


!

route-map nonat permit 10

match ip address 150


*limiting the access from the internet would be the role of the access-list applied on the public interface.


The only solution from my opinion is to access your server 192.168.46.2 via translated ip on the tunnel as the translation could not be bypass:



1. Put the translated ip as part of your interesting traffic:


ip access-list extended Tunnel_Traffic

remark This ACL allows the proper traffic through the tunnel

permit tcp host 208.73.x.x 192.168.192.0 0.0.63.255 eq 80

permit tcp host 208.73.x.x 141.146.128.0 0.0.127.255 eq 443

permit tcp host 208.73.x.x 140.85.0.0 0.0.255.255 eq 1352



Hope this helps....


Cheers,

lapascua

ssahadzic Fri, 09/21/2007 - 00:23
User Badges:

Thanks, I'll give it a shot and post the outcome.


ssahadzic Sun, 02/17/2008 - 12:28
User Badges:

Sorry for not reporting earlier. The proposed solution did not work.


davidbuit Thu, 03/19/2009 - 23:31
User Badges:

Hi,


Did you manage to find a resolution to this problem?


Thanks

Actions

This Discussion