06-24-2008 04:07 PM - edited 02-21-2020 03:47 PM
Hi all,
If you have a server on a LAN (say 192.168.20.100) and you have IPsec LAN-to-LAN sites that can talk to each other, including the server, then you have a fairly standard scenario.
If you then need the Internet to be able to talk to that server e.g. "ip nat inside source 192.168.20.100 80 x.x.x.x 80", then your server is mapped to your public ip on port 80 and your VPN sites can't talk to it on port 80 (in Cisco IOS - this is the first time I have every come across this kind of issue on any other kind of router or firewall).
Surely this has cropped up before. I can't find anything on the Internet about it though. Am I being stupid ? How can I get round this situation for my customer?
Any help will be greatly appreciated. See config (the port forward/inside source static line has been removed):
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HQ
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key z02xr15MPw0z5kh address y.y.y.y
crypto isakmp key SFJc45JPq6g64V2 address z.z.z.z
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer y.y.y.y
set transform-set TRANSFORM
set pfs group2
match address 115
crypto map VPN 20 ipsec-isakmp
set peer z.z.z.z
set transform-set TRANSFORM
set pfs group2
match address 125
!
!
!
!
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
!
ip route 0.0.0.0 0.0.0.0 j.j.j.j
!
!
ip http server
no ip http secure-server
ip nat pool CUST-NATPOOL x.x.x.x x.x.x.x netmask 255.255.255.248
ip nat inside source route-map NONAT pool CUST-NATPOOL overload
!
ip access-list logging interval 1
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
access-list 115 permit ip 192.168.20.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 125 permit ip any 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map NONAT permit 10
match ip address 110
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
alias exec i sh ip int brief
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
06-30-2008 08:08 AM
Use random ports for vpn. The only ports available are UDP 500 and UDP 4500 when using nat transparency and a VPN.
06-30-2008 08:45 AM
It's ok. I found the solution. You need to use a conditional route-map on the end of the inbound NAT statement. This will exempt the VPN sites from the static mapping that you define.
Easy when you know how:)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide