Easy VPN and NAT Translations

Unanswered Question
Feb 25th, 2010

Hi, excuse my english, i will triy expalin correctly

I have a router cisco series 1800, i confgured a Easy VPN Server to access with Cisco VPN Clients. The client access to the local LAN with problems.

Later i need configured a PAT to access a server by the port 3389 from the public IP, the . It is rrunnig corretly

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389

the problem is when a user established a VPN conection to the router and try access by the port 3389 to the server 192.168.180.2, the conecction don´t established. If i try access from public IP, the conecction established

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 02/25/2010 - 09:19

Hi,

Are you excempting the 192.168.180.2 IP address from the NAT for VPN traffic?

In order for VPN clients to be able to access the server with the private IP, there should be a rule with an ACL that avoids doing NAT for the IP 192.168.180.2 when going to the VPN pool.

Check this out please.

Federico.

ignaciobajo Thu, 02/25/2010 - 10:20

Yes, I think so

This is my configuration

aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXX
key xxxxx
dns 192.168.180.1 192.168.180.2
domain domain.com
pool SDM_POOL_1
acl 100
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!

!
interface ATM0
no ip address
ip nat outside
.......

!
interface ATM0.1 point-to-point
no ip mroute-cache
pvc 8/32
  pppoe-client dial-pool-number 2
!
!
!
interface Vlan1
ip address 192.168.45.241 255.255.255.0 secondary
ip address 192.168.180.241 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address y.y.y.y 255.255.255.192
ip mtu 1452
ip nat outside
..........

!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 192.168.180.243
ip route 192.168.40.0 255.255.255.0 192.168.45.243

!
ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
ip nat inside source route-map RMAP_1 interface Dialer1 overload

!
ip access-list extended ACL_HTTP
remark Acceso a Internet
deny   ip 192.168.180.0 0.0.0.255 10.10.10.0 0.0.0.255
deny   ip 192.168.45.0 0.0.0.255 10.10.10.0 0.0.0.255
deny   tcp host 192.168.180.2 eq 3389 any
permit ip 192.168.180.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
!

access-list 100 permit ip 192.168.180.0 0.0.0.255 any

route-map RMAP_1 permit 1
match ip address ACL_HTTP
!

Federico Coto F... Thu, 02/25/2010 - 10:42

Can the VPN client PING the server's private IP?

Can the VPN client PING 192.168.180.241?

Federico.

ignaciobajo Thu, 02/25/2010 - 11:02

Can the VPN client PING the server's private IP?

YES

Can the VPN client PING 192.168.180.241?

YES

and if I do

"telnet 192.168.180.2 3389" the respond is dont open conecction to host.

If I do witchou VPN conections the result is open a sesion of telnet

ignaciobajo Thu, 02/25/2010 - 11:04

I refer telnet without vpn conection

telnet "ip public" 3389, of course

Federico Coto F... Thu, 02/25/2010 - 11:07

There's no restriction as to which traffic can pass through the tunnel (either PING or TCP 3389)

Sounds like could be a restriction on the server as far as which IP's are allowed to make a RD connection to it?

Can you try accessing that same server via any other protocol? For instance, port 80, 21, or any TCP or UDP connection to see if you make it through the VPN tunnel?

Federico.

ignaciobajo Thu, 02/25/2010 - 11:31

If I open a conection throught vpn for TCP port  445, respond

The only difference is the line "ip nat inside source static............." for the TCP port 3389

If I erase this line the conection throught VPN TCP port 3389 is ok.

Federico Coto F... Thu, 02/25/2010 - 11:43

Let's do a quick test please.

Apply the route-map to the INSIDE interface (Vlan 1).

Let's see if in this way, the route-map to avoid NAT takes precedence over the STATIC translation for that server.

Federico.

Lei Tian Thu, 02/25/2010 - 11:44

Hi,

The server ip 192.168.180.2 is been natted when it establish the TCP connection with the vpn client.

Check your router see if you can do conditional nat

See if you have option to put in route-map after the static nat statement.

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389 ?

HTH,

Lei Tian

ignaciobajo Fri, 02/26/2010 - 02:27

what is conditional NAT?

I try this change in the config in this order

no ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
no ip nat inside source route-map RMAP_1 interface Dialer1 overload


ip nat inside source route-map RMAP_1 interface Dialer1 overload

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389

the result of show run is in this order

.....

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
ip nat inside source route-map RMAP_1 interface Dialer1 overload

.......

the router-map is always after the line "ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389"

ignaciobajo Fri, 02/26/2010 - 02:37

More information

If i add this line, i can connect throught VPN but cann´t connect by ip Public

no ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389

ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-mapRMAP_2 extendable

access-list 110 deny   ip host 192.168.180.2 10.10.10.0 0.0.0.255
access-list 110 permit tcp host 192.168.180.2 eq 3389 any
access-list 110 permit ip host 192.168.180.2 any
!
route-map RMAP2 permit 1
match ip address 110

Lei Tian Fri, 02/26/2010 - 04:18

Hi,

Change your acl 110 to

access-list 110 deny   ip host 192.168.180.2 10.10.10.0 0.0.0.255

access-list 110 permit ip any any

HTH,

Lei Tian

Edit:

Also change the nat statement to

ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-map RMAP_2 reversible

ignaciobajo Fri, 02/26/2010 - 04:33

the result is the same, thrught vpn connecto, throught ip public don´t connect

ignaciobajo Fri, 02/26/2010 - 04:35

Perphaps it not possible connect throught VPn and Ip public by the same port simultaneosusly?

Lei Tian Fri, 02/26/2010 - 05:08

Ok. Looks like it doenst work as it should be.

Let' s try another way.


1,Create a dummy interface and set a un-routeable ip and not used in your network like

interface lo100

ip add 172.16.1.1 255.255.255.0

2, create a route-map

route-map PBR

match ip address PBR

set ip next-hop 172.16.1.2

ip access ex PBR

per tcp host 192.168.180.2 eq 3389 10.10.10.0 0.0.0.255

3, apply the PBR on LAN interface

int vlan 1

ip policy route-map PBR

HTH,

Lei Tian

Lei Tian Fri, 02/26/2010 - 08:38

Ok,

Can you attach the latest

show run

show ip nat tran | in 192.168.180.2

show ip route

ignaciobajo Mon, 03/01/2010 - 08:49

Hi Letian

In this momento all it´s ok, there was worng line in the router configuration.

Thank you for help

ignaciobajo Mon, 03/01/2010 - 09:35

excuse me

I have other issue in the same router

I like that only the ip wan v.v.v.v access to the NAT port 3389. the resto of the IP WAN must rejected.

This is the route map and access list

ip local pool SDM_POOL_1 10.10.10.1 10.10.10.20

ip nat inside source route-map ITSA_1 interface Dialer1 overload

ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-map ITSA_2 extendable
!

ip access-list extended ACL_HTTP
deny   ip 192.168.180.0 0.0.0.255 10.10.10.0 0.0.0.255
deny   tcp host 192.168.180.2 eq 3389 any
permit ip 192.168.180.0 0.0.0.255 any
!

access-list 110 deny   ip host 192.168.180.2 10.10.10.0 0.0.0.255
access-list 110 permit tcp host 192.168.180.2 eq 3389 host v.v.v.v eq 3389
no cdp run
!
!
route-map ITSA_1 permit 1
match ip address ACL_HTTP
!
route-map ITSA_2 permit 1
match ip address 110

Lei Tian Mon, 03/01/2010 - 10:26

Hi,

Trying to understand your requirement here. You want only allowed traffic from IP v.v.v.v be able to access your server 192.168.180.2 port 3389, and reject the traffic from other IP to your server?

You can just create an access control list and apply it inbound direction on your WAN interface.

The ACL should look like

ip access ex INBOUND

per tcp host v.v.v.v host y.y.y.y eq 3389

deny tcp any host y.y.y.y eq 3389

per ip any any

y.y.y.y is the server's public IP; v.v.v.v is the allowed WAN IP.

please rate if helps

Lei Tian

ignaciobajo Mon, 03/01/2010 - 11:21

Don´t run

interface Dialer1
ip address y.y.y.y 255.255.255.192
ip access-group ACCESO_TS_NAT in

ip access-list extended ACCESO_TS_NAT
permit tcp host y.y.y.y host  v.v.v.v eq 3389
deny   tcp any host 195.55.94.213 eq 3389
permit ip any any

Actions

This Discussion