Hello, we have an IPSEC VPN set up on a router for remote access. This works very well, mostly. We have also a few static PAT entries for allowing access to a web server etc from the outside. We deny NATting from the private IP range to the VPN client range and this works except for the entries that also have the PAT configurations.
So, for instance, we have web server 10.0.0.1 and a PAT forwarding port 10.0.0.1:80 to the WAN IP port 80. If a VPN client tries to connect to 10.0.0.1:80, the syn-ack packet comes back tot he VPN client from the router's WAN IP! If the VPN client connects to RDP server 10.0.0.2:3389, it works fine as this server doesn't have a static PAT entry.
Is there a way around this?
There is a way around, use the same settings you have for your dyanmic nat into your staitc nat entries, something like this:
currently it should show like:
ip nat inside source static XXXXX 80 XXXX 80
you would need to change it to
ip nat inside source static XXXX 80 XXXX 80 route-map YYYY
where your route map YYY is something defined with an acl where you deny traffic from inside of your router to the vpn pool
ip acess-list ext nonat
deny ip 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
route-map YYYY permit 10
match ip address nonat
Same to all the static PAT you need