VPN with Static NAT

ajmarriott · ‎03-24-2010

Hi

I have a issue at a client with an IPSEC site to site VPN set up on a Cisco 877 router. The issue is partially described here http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

but with some differences.

Firstly the client has an SBS Server that static NATs have been configured to port forward 25 and 443 to,

eg: ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25.

The remote site network is a public IP range not Public , and has rules that restricts the VPN to rdp and web ports from our Private network.

There is an ACL to tell the router not to Nat the private (Our Network) to public (remote site) traffic. I haven't configured a route map as I actually want the static nat to take precedence

The VPN works fine except for Mail. The remote site has a Mail server that cannot send mail to the SBS Server. What I see happening is the remote site tries to send mail to our external address using our MX record , this traffic arrives unencrypted and I see the Translation in the show IP Nat translations. But the connection times out. When I try to send mail from the SBS server to the remote site, there is no translation in the table and again the connection times out. I am assuming that in my case the static translation is not taking precedence.

This is confusing me as if Static nat worked as described in the above article without the use of a route map I wouldn't have an issue.

Has anybody else seen this behavour.

I read somewhere that NAT access-lists dont work with port numbers. I was thinking of putting in deny statements based only on the ports allowed over the VPN in the NAT ACL.

Any help would be appreciated.

Jennifer Halim · ‎03-24-2010

From my understanding you would like to use Dialer0 ip address for mail traffic from your remote site which is connected via site-to-site vpn tunnel.

On your crypto ACL, do you have crypto ACL between your Dialer0 and the remote LAN, and mirror image on your remote site?

ajmarriott · ‎03-24-2010

Thanks for the quick reply.

"From my understanding you would like to use Dialer0 ip address for mail traffic from your remote site which is connected via site-to-site vpn tunnel."

Yes I do want to use the Dialer0 ip address for mail traffic to the remote site but I dont want it to go over the VPN as this is restricted at the remote site to rdp and www originating on our Private network.

"On your crypto ACL, do you have crypto ACL between your Dialer0 and the remote LAN, and mirror image on your remote site?"

The Crypto ACL is just between our Private Network and the remote LAN. The remote site is the same. Which is why when mail is sent to us to our MX address , the Dialer0 ip address, it is not encrypted.

Hope this clarifies things.

Andy

pompeychimes · ‎03-24-2010

Post scrubbed config please.

Jennifer Halim · ‎03-24-2010

OK, so my initial understanding is incorrect.

Based on your last post, remote site would like to access the mail server on main site not going through the VPN tunnel.

Based on that, your remote site needs to have NAT configured to PAT traffic outbound to the internet.

Can you please share the translation/nat configuration on your remote site.

ajmarriott · ‎03-25-2010

Thanks for your replies -- fixed now, slightly embarassed to admit it , but after looking at the config for the nth time an entry in the Inside interface access-lists stood out and I removed it -- Static now working as described here.-- http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Jennifer Halim · ‎03-25-2010

Great to hear. Thanks.