NAT/VPN issue

Unanswered Question
Mar 5th, 2009

Hi

the problem that i am having is that once i am connected i can ping or connect to anything from the remote host. but i can ping the remote host from inside the network. i think the problem that i am having are related to the NAT settings that are configured. but i am not sure

below if the current config

FIDEL#sh run

Building configuration...

Current configuration : 3876 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname FIDEL

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN-XAUTH local

aaa authorization exec default local

aaa authorization network VPN-GROUP local

!

!

aaa session-id common

memory-size iomem 20

!

!

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.190 192.168.1.200

ip dhcp excluded-address 192.168.1.1 192.168.1.20

!

ip dhcp pool DHCP-INTERNAL

network 192.168.1.0 255.255.255.0

dns-server 68.87.77.130 68.87.72.130

default-router 192.168.1.1

lease 7

!

!

no ip domain lookup

ip domain name FIDEL.com

ip inspect name OUTSIDE-INSPECT tcp

ip inspect name OUTSIDE-INSPECT udp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

!

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group FIDEL-VPN-GROUP

key xxxxxx

dns 4.2.2.2

pool xxxxxx

include-local-lan

netmask 255.255.255.0

crypto isakmp profile VPN-CLIENT

description VPN-CLIENT profile

match identity group FIDEL-VPN-GROUP

client authentication list VPN-XAUTH

isakmp authorization list VPN-GROUP

client configuration address respond

!

!

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

!

crypto dynamic-map DYNMAP 5

set transform-set MYSET

set isakmp-profile VPN-CLIENT

reverse-route

!

!

crypto map MYMAP 10 ipsec-isakmp dynamic DYNMAP

!

archive

log config

hidekeys

!

!

ip ssh time-out 60

ip ssh authentication-retries 1

ip ssh version 2

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address x.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map MYMAP

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip inspect OUTSIDE-INSPECT in

ip virtual-reassembly

!

ip local pool FIDEL-VPN-POOL 192.168.1.230 192.168.1.250

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip nat inside source route-map VPN-ROUTE-MAP interface FastEthernet4 overload

ip nat inside source static 192.168.1.194 x.x.x.x

ip nat inside source static 192.168.1.195 x.x.x.x

ip nat inside source static 192.168.1.196 x.x.x.x

ip nat inside source static 192.168.1.197 x.x.x.x

!

ip access-list standard SSH-ACL

permit 192.168.1.0 0.0.0.255

!

ip access-list extended NATADD

permit ip 192.168.1.0 0.0.0.255 any

deny ip any any log

ip access-list extended OUTSIDE-LIST

permit udp any any eq isakmp log

permit icmp any any echo-reply

deny tcp any any eq 22

deny tcp any any eq telnet

deny ip 127.0.0.0 0.0.0.255 any

deny ip 10.0.0.0 0.255.255.255 any

deny ip 172.16.0.0 0.15.255.255 any

deny ip 192.168.0.0 0.0.255.255 any

deny ip host 255.255.255.255 any

deny ip any any

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

!

route-map VPN-ROUTE-MAP permit 5

match ip address NATADD

!

!

control-plane

!

banner login ^C

************************************************

YOUR ARE NOT AUTH0RIZED TO ACCESS THE ROUTER

DISCONNECT NOW!!!

************************************************^C

!

line con 0

logging synchronous

no modem enable

line aux 0

access-class 1 in

line vty 0 4

logging synchronous

transport input ssh

!

scheduler max-task-time 5000

end

FIDEL#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew.prince@m... Tue, 03/10/2009 - 02:55

please clarify the "can" & "cannot" in the correct places - as from your post it sounds like everything is working ok.

themcurtis Tue, 03/10/2009 - 06:29

the tunnel it self is working. the problem is the remote client not being able to receive packets back. but i think i found the problem.

i believe that i need to remove the host addresses that are in the vpn pool from the NAT ACL

Actions

This Discussion