NAT inbound and VPN issue - surely not?!

Unanswered Question
Jun 24th, 2008

Hi all,

If you have a server on a LAN (say 192.168.20.100) and you have IPsec LAN-to-LAN sites that can talk to each other, including the server, then you have a fairly standard scenario.

If you then need the Internet to be able to talk to that server e.g. "ip nat inside source 192.168.20.100 80 x.x.x.x 80", then your server is mapped to your public ip on port 80 and your VPN sites can't talk to it on port 80 (in Cisco IOS - this is the first time I have every come across this kind of issue on any other kind of router or firewall).

Surely this has cropped up before. I can't find anything on the Internet about it though. Am I being stupid ? How can I get round this situation for my customer?

Any help will be greatly appreciated. See config (the port forward/inside source static line has been removed):

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname HQ

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

!

!

no ip domain lookup

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key z02xr15MPw0z5kh address y.y.y.y

crypto isakmp key SFJc45JPq6g64V2 address z.z.z.z

!

!

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer y.y.y.y

set transform-set TRANSFORM

set pfs group2

match address 115

crypto map VPN 20 ipsec-isakmp

set peer z.z.z.z

set transform-set TRANSFORM

set pfs group2

match address 125

!

!

!

!

interface FastEthernet0/0

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address x.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN

!

!

ip route 0.0.0.0 0.0.0.0 j.j.j.j

!

!

ip http server

no ip http secure-server

ip nat pool CUST-NATPOOL x.x.x.x x.x.x.x netmask 255.255.255.248

ip nat inside source route-map NONAT pool CUST-NATPOOL overload

!

ip access-list logging interval 1

access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 110 permit ip 192.168.20.0 0.0.0.255 any

access-list 115 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 125 permit ip any 192.168.2.0 0.0.0.255

dialer-list 1 protocol ip permit

!

route-map NONAT permit 10

match ip address 110

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

alias exec i sh ip int brief

!

line con 0

line aux 0

line vty 0 4

login

!

!

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
aghaznavi Mon, 06/30/2008 - 08:08

Use random ports for vpn. The only ports available are UDP 500 and UDP 4500 when using nat transparency and a VPN.

davey.red Mon, 06/30/2008 - 08:45

It's ok. I found the solution. You need to use a conditional route-map on the end of the inbound NAT statement. This will exempt the VPN sites from the static mapping that you define.

Easy when you know how:)

Actions

This Discussion