Split Tunnel VPN Server and NAT Port Forwarding Issues

Unanswered Question
May 8th, 2008

Hello,


I was taking too long to find a document to configure vpn server on my 1751, so I ended up using the sdm software. I have everything pretty basic, and 1 NAT port forwarding for vnc port 410xx sent to inside ip 1.1.1.xx


When I setup the vpn with the sdm software, at the end of config, it told me there was a NAT rule that needed to be updated to work with the vpn. I had no clue what that was all about, so I let it do its update on the rule. Well, it changed my:


ip nat inside source static tcp 1.1.1.xx 410xx interface Dialer1 410xx


to


route-map sdm_rmap_1 permit 41069

Which DID NOT WORK!


It changed the rule, and the port forwarding stopped. I deleted it and added my static nat rule back in and viola. My question on this is that normally the vnc port gets forwarded from dialer1 to my pc when I access from remote. When I'm connected via VPN client, however, the only way I can access vnc is back out through the internet. It won't let me access vnc through VPN by just vnc to local 1.1.1.x address with 410xx port number.


How can I set this up to allow both? I would like the remote control session encrypted over the internet (using vpn) anytime that I am connected to my network via vpn.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sandman420 Thu, 05/08/2008 - 07:46

My config is as follows:


SANDBOX_1751#show run

Building configuration...


Current configuration : 3666 bytes

!

! Last configuration change at 09:59:52 CST Thu May 8 2008

! NVRAM config last updated at 08:24:32 CST Thu May 8 2008 by root

!

version 12.3

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname SANDBOX_1751

!

boot-start-marker

boot system flash:c1700-k9o3sy7-mz.123-13.bin

boot-end-marker

!

!

memory-size iomem 20

clock timezone CST -6

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login userauthenticate local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip subnet-zero

!

!

ip domain name XXX.com

ip name-server 64.91.3.46

ip name-server 64.91.3.60

!

ip cef

ip audit po max-events 100

vpdn enable

vpdn ip udp ignore checksum

!

vpdn-group 1

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

!

username XXXX privilege 15 secret xxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15


!

crypto isakmp client configuration group group1

key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

dns 1.1.1.3 1.1.1.1

wins 1.1.1.200

domain XXX.com

pool SDM_POOL_1

acl 100

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface Ethernet0/0

description iburst

no ip address

ip nat outside

ip tcp adjust-mss 1452

full-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet0/0

description Lan

ip address 1.1.1.3 255.255.255.0

ip nat inside

speed auto

full-duplex

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

ip route-cache flow

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap password 7 03145A1815

ppp pap sent-username XXXXXXX password xxx

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 1.1.1.150 1.1.1.159

ip nat inside source static tcp 1.1.1.XX 410XX interface Dialer1 410XX

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

ip http port XXXXXX

ip http secure-server

!

!

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 1.1.1.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=2

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.150

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.151

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.152

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.153

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.154

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.155

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.156

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.157

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.158

access-list 101 deny ip 1.1.1.0 0.0.0.255 host 1.1.1.159

access-list 101 permit ip 1.1.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

!

end

Actions

This Discussion