NAT issue

Answered Question
Sep 25th, 2008

I have a strange issue. I use a Cisco 2811 router with dual ISP for failover.

ip nat inside source static tcp 192.168.1.2 110 interface FastEthernet0/0 110

ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet0/0 443

ip nat inside source static tcp 192.168.1.2 25 interface FastEthernet0/0 25

ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet0/0 3389

ip nat inside source static tcp 192.168.1.2 3390 interface FastEthernet0/0 3390

Everyone can access the server 192.168.1.3 from outside using the PUblic IP address but when people VPN in and try to access 192.168.1.3 using the private IP address, it doesn't work. Here's the NAT ACL

ip access-list extended NATACL

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

192.168.2.0 is the VPN POOL address.

Any help on this would be really appreciated.

Thanks

OJ

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 2 months ago

Using route map with static NAT translations feature was introduced in 12.2(4)T .

There is one more way to bypass static NAT which was used before the route-map feature but here you need to create a loopback interface.

1. create a loopback interface

interface loopback0

ip address 10.254.254.253 255.255.255.252

2. Create a access list statement where you permit Ipsec traffic

access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

3. Create a Route Map and route the Ipsec traffic towards loopback interface.

route-map nonat permit 10

match ip address 199

set ip next-hop 10.254.254.254

4. Apply Route-map on the inside interface of the router, where you have "ip nat inside" applied also.

interface inside_interface_name

ip nat inside

ip policy route-map nonat

Clear Nat translations: clear ip nat trans *

And then check .

HTH

Saju

Pls rate helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Thu, 09/25/2008 - 12:33

OJ-

Here's the fix (applied it many times).

http://www.packetpros.com/wiki/index.php/I_can%27t_see_a_service_that_NAT%27ed_to_the_outside_while_I%27m_connected_via_VPN._Why%3F

The hyperlink doesn't work, but copy-n-paste into the URL and it will.

and the referring document-

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Hope that helps.

singhsaju Thu, 09/25/2008 - 12:33

Hi,

You will have to bypass the static NAT for VPN traffic .

1. Define access-list to Deny VPN traffic

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

2. Define a Route Map

route-map nonat permit 10

match ip address 130

3. Remove existing static NAT and add the Route map to the static NAT statement

no ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet0/0 3389

ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet0/0 3389

route-map nonat

clear translations : clear ip nat translations *

And check results for VPN users.

HTH

Saju

Pls rate helpful posts

ojasvi.bansal Thu, 09/25/2008 - 19:00

thanks for your response.

The command ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet0/0 3389

route-map nonat

does not work. However, if I take out

no ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet0/0 3389, I can access the server after I VPN in but not with the PUblic IP address anymore.

Any Idea?

Thanks again.

OJ

Correct Answer
singhsaju Fri, 09/26/2008 - 05:28

Using route map with static NAT translations feature was introduced in 12.2(4)T .

There is one more way to bypass static NAT which was used before the route-map feature but here you need to create a loopback interface.

1. create a loopback interface

interface loopback0

ip address 10.254.254.253 255.255.255.252

2. Create a access list statement where you permit Ipsec traffic

access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

3. Create a Route Map and route the Ipsec traffic towards loopback interface.

route-map nonat permit 10

match ip address 199

set ip next-hop 10.254.254.254

4. Apply Route-map on the inside interface of the router, where you have "ip nat inside" applied also.

interface inside_interface_name

ip nat inside

ip policy route-map nonat

Clear Nat translations: clear ip nat trans *

And then check .

HTH

Saju

Pls rate helpful posts.

ojasvi.bansal Fri, 09/26/2008 - 09:32

I do have 12.4.5.17(t) IOS on my router.

The moment I use

IP nat inside static 192.168.1.3 route-map nonat

I loose connectivity to the router. I only have one public IP address. I want to use this IP address for

1. Direct access to the server.

2. VPN Access

3. Inside computers to NAT through address to go ouside.

4. Management of the router.

Can this be done using Route-map.

One question from the above configuration. The address of the LO interface .253 But when we set next-hop 10.254.254.254. Where does this .254 come from.

Thanks

OJ

singhsaju Fri, 09/26/2008 - 09:45

One question from the above configuration. The address of the LO interface .253 But when we set next-hop 10.254.254.254. Where does this .254 come from

Good question :) , i will try to answer. when we set next hop as 10.254.254.254 (it does not exist anywhere) but this makes the traffic to exit out of Loopback interface where there is no "ip nat outside " configured. Another good argument can be why we did not configure " set interface loopback0" why next-hop ? when you configure set interface , the traffic does not exit out of loopback interface .

I am sure somebody here can explain it better than me.

HTH

Saju

Actions

This Discussion