cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4116
Views
0
Helpful
25
Replies

Easy VPN and NAT Translations

ignaciobajo
Level 1
Level 1

Hi, excuse my english, i will triy expalin correctly

I have a router cisco series 1800, i confgured a Easy VPN Server to access with Cisco VPN Clients. The client access to the local LAN with problems.

Later i need configured a PAT to access a server by the port 3389 from the public IP, the . It is rrunnig corretly

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389

the problem is when a user established a VPN conection to the router and try access by the port 3389 to the server 192.168.180.2, the conecction don´t established. If i try access from public IP, the conecction established

Thank you

25 Replies 25

Hi,

Are you excempting the 192.168.180.2 IP address from the NAT for VPN traffic?

In order for VPN clients to be able to access the server with the private IP, there should be a rule with an ACL that avoids doing NAT for the IP 192.168.180.2 when going to the VPN pool.

Check this out please.

Federico.

Yes, I think so

This is my configuration

aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXX
key xxxxx
dns 192.168.180.1 192.168.180.2
domain domain.com
pool SDM_POOL_1
acl 100
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!

!
interface ATM0
no ip address
ip nat outside
.......

!
interface ATM0.1 point-to-point
no ip mroute-cache
pvc 8/32
  pppoe-client dial-pool-number 2
!
!
!
interface Vlan1
ip address 192.168.45.241 255.255.255.0 secondary
ip address 192.168.180.241 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address y.y.y.y 255.255.255.192
ip mtu 1452
ip nat outside
..........

!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 192.168.180.243
ip route 192.168.40.0 255.255.255.0 192.168.45.243

!
ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
ip nat inside source route-map RMAP_1 interface Dialer1 overload

!
ip access-list extended ACL_HTTP
remark Acceso a Internet
deny   ip 192.168.180.0 0.0.0.255 10.10.10.0 0.0.0.255
deny   ip 192.168.45.0 0.0.0.255 10.10.10.0 0.0.0.255
deny   tcp host 192.168.180.2 eq 3389 any
permit ip 192.168.180.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
!

access-list 100 permit ip 192.168.180.0 0.0.0.255 any

route-map RMAP_1 permit 1
match ip address ACL_HTTP
!

Can the VPN client PING the server's private IP?

Can the VPN client PING 192.168.180.241?

Federico.

Can the VPN client PING the server's private IP?

YES

Can the VPN client PING 192.168.180.241?

YES

and if I do

"telnet 192.168.180.2 3389" the respond is dont open conecction to host.

If I do witchou VPN conections the result is open a sesion of telnet

I refer telnet without vpn conection

telnet "ip public" 3389, of course

There's no restriction as to which traffic can pass through the tunnel (either PING or TCP 3389)

Sounds like could be a restriction on the server as far as which IP's are allowed to make a RD connection to it?

Can you try accessing that same server via any other protocol? For instance, port 80, 21, or any TCP or UDP connection to see if you make it through the VPN tunnel?

Federico.

If I open a conection throught vpn for TCP port  445, respond

The only difference is the line "ip nat inside source static............." for the TCP port 3389

If I erase this line the conection throught VPN TCP port 3389 is ok.

Let's do a quick test please.

Apply the route-map to the INSIDE interface (Vlan 1).

Let's see if in this way, the route-map to avoid NAT takes precedence over the STATIC translation for that server.

Federico.

Don´t run, the result is the same

Hi,

The server ip 192.168.180.2 is been natted when it establish the TCP connection with the vpn client.

Check your router see if you can do conditional nat

See if you have option to put in route-map after the static nat statement.

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389 ?

HTH,

Lei Tian

what is conditional NAT?

I try this change in the config in this order

no ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
no ip nat inside source route-map RMAP_1 interface Dialer1 overload


ip nat inside source route-map RMAP_1 interface Dialer1 overload

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389

the result of show run is in this order

.....

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
ip nat inside source route-map RMAP_1 interface Dialer1 overload

.......

the router-map is always after the line "ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389"

More information

If i add this line, i can connect throught VPN but cann´t connect by ip Public

no ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389

ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-mapRMAP_2 extendable

access-list 110 deny   ip host 192.168.180.2 10.10.10.0 0.0.0.255
access-list 110 permit tcp host 192.168.180.2 eq 3389 any
access-list 110 permit ip host 192.168.180.2 any
!
route-map RMAP2 permit 1
match ip address 110

Hi,

Change your acl 110 to

access-list 110 deny   ip host 192.168.180.2 10.10.10.0 0.0.0.255

access-list 110 permit ip any any

HTH,

Lei Tian

Edit:

Also change the nat statement to

ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-map RMAP_2 reversible

the result is the same, thrught vpn connecto, throught ip public don´t connect

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco