02-25-2010 09:04 AM - edited 03-04-2019 07:37 AM
Hi, excuse my english, i will triy expalin correctly
I have a router cisco series 1800, i confgured a Easy VPN Server to access with Cisco VPN Clients. The client access to the local LAN with problems.
Later i need configured a PAT to access a server by the port 3389 from the public IP, the . It is rrunnig corretly
ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
the problem is when a user established a VPN conection to the router and try access by the port 3389 to the server 192.168.180.2, the conecction don´t established. If i try access from public IP, the conecction established
Thank you
02-25-2010 09:19 AM
Hi,
Are you excempting the 192.168.180.2 IP address from the NAT for VPN traffic?
In order for VPN clients to be able to access the server with the private IP, there should be a rule with an ACL that avoids doing NAT for the IP 192.168.180.2 when going to the VPN pool.
Check this out please.
Federico.
02-25-2010 10:20 AM
Yes, I think so
This is my configuration
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXX
key xxxxx
dns 192.168.180.1 192.168.180.2
domain domain.com
pool SDM_POOL_1
acl 100
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
interface ATM0
no ip address
ip nat outside
.......
!
interface ATM0.1 point-to-point
no ip mroute-cache
pvc 8/32
pppoe-client dial-pool-number 2
!
!
!
interface Vlan1
ip address 192.168.45.241 255.255.255.0 secondary
ip address 192.168.180.241 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address y.y.y.y 255.255.255.192
ip mtu 1452
ip nat outside
..........
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 192.168.180.243
ip route 192.168.40.0 255.255.255.0 192.168.45.243
!
ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
ip nat inside source route-map RMAP_1 interface Dialer1 overload
!
ip access-list extended ACL_HTTP
remark Acceso a Internet
deny ip 192.168.180.0 0.0.0.255 10.10.10.0 0.0.0.255
deny ip 192.168.45.0 0.0.0.255 10.10.10.0 0.0.0.255
deny tcp host 192.168.180.2 eq 3389 any
permit ip 192.168.180.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.40.0 0.0.0.255 any
!
access-list 100 permit ip 192.168.180.0 0.0.0.255 any
route-map RMAP_1 permit 1
match ip address ACL_HTTP
!
02-25-2010 10:42 AM
Can the VPN client PING the server's private IP?
Can the VPN client PING 192.168.180.241?
Federico.
02-25-2010 11:02 AM
Can the VPN client PING the server's private IP?
YES
Can the VPN client PING 192.168.180.241?
YES
and if I do
"telnet 192.168.180.2 3389" the respond is dont open conecction to host.
If I do witchou VPN conections the result is open a sesion of telnet
02-25-2010 11:04 AM
I refer telnet without vpn conection
telnet "ip public" 3389, of course
02-25-2010 11:07 AM
There's no restriction as to which traffic can pass through the tunnel (either PING or TCP 3389)
Sounds like could be a restriction on the server as far as which IP's are allowed to make a RD connection to it?
Can you try accessing that same server via any other protocol? For instance, port 80, 21, or any TCP or UDP connection to see if you make it through the VPN tunnel?
Federico.
02-25-2010 11:31 AM
If I open a conection throught vpn for TCP port 445, respond
The only difference is the line "ip nat inside source static............." for the TCP port 3389
If I erase this line the conection throught VPN TCP port 3389 is ok.
02-25-2010 11:43 AM
Let's do a quick test please.
Apply the route-map to the INSIDE interface (Vlan 1).
Let's see if in this way, the route-map to avoid NAT takes precedence over the STATIC translation for that server.
Federico.
02-26-2010 01:52 AM
Don´t run, the result is the same
02-25-2010 11:44 AM
Hi,
The server ip 192.168.180.2 is been natted when it establish the TCP connection with the vpn client.
Check your router see if you can do conditional nat
See if you have option to put in route-map after the static nat statement.
ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389 ?
HTH,
Lei Tian
02-26-2010 02:27 AM
what is conditional NAT?
I try this change in the config in this order
no ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
no ip nat inside source route-map RMAP_1 interface Dialer1 overload
ip nat inside source route-map RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
the result of show run is in this order
.....
ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
ip nat inside source route-map RMAP_1 interface Dialer1 overload
.......
the router-map is always after the line "ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389"
02-26-2010 02:37 AM
More information
If i add this line, i can connect throught VPN but cann´t connect by ip Public
no ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-mapRMAP_2 extendable
access-list 110 deny ip host 192.168.180.2 10.10.10.0 0.0.0.255
access-list 110 permit tcp host 192.168.180.2 eq 3389 any
access-list 110 permit ip host 192.168.180.2 any
!
route-map RMAP2 permit 1
match ip address 110
02-26-2010 04:18 AM
Hi,
Change your acl 110 to
access-list 110 deny ip host 192.168.180.2 10.10.10.0 0.0.0.255
access-list 110 permit ip any any
HTH,
Lei Tian
Edit:
Also change the nat statement to
ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-map RMAP_2 reversible
02-26-2010 04:33 AM
the result is the same, thrught vpn connecto, throught ip public don´t connect
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide