Problems with VPN on a PAT router

Answered Question
Jul 3rd, 2010
User Badges:

Hello


I have problems getting my VPN to work. I read through various configuration examples but still didn't got it working correctly.

Scenario: Connecting with the Cisco VPN Client to my Router from external.

Router is working as NAT overload/PAT. Internet: FA0/1, Internal Network: FA0/0

Problems: Connecting works without problems but I can't access anything in the network behind the router. Pinging some hosts sometimes works, sometimes does not.



Anyone have an idea what the problem could be and what is wrong in my configuration?

Thanks in advance!



Here is my configuration:

Current configuration : 5817 bytes
!
! Last configuration change at 14:41:13 CEST Sat Jul 3 2010
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router01
!
boot-start-marker
boot-end-marker
!
enable secret 5 -CENSORED-

enable password -CENSORED-

!
clock timezone CET 1
clock summer-time CEST recurring
aaa new-model
!
!
aaa authentication login USERLIST local
aaa authorization network GROUP local
aaa session-id common
ip subnet-zero
ip cef   
!        
!        
!        
ip audit po max-events 100
ipv6 unicast-routing
!        
!        
!        
!        
!        
!        
!        
!        
!        
!        
!        
!        
username TEST password 0 -CENSORED-

!        
!        
!        
!        
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2 
crypto isakmp client configuration address-pool local ADDRESSPOOL
crypto isakmp xauth timeout 60
         
!        
crypto isakmp client configuration group GROUP
key -CENSORED-

pool ADDRESSPOOL
acl 150 
!        
!        
crypto ipsec transform-set SET esp-aes 256 esp-sha-hmac
!        
crypto dynamic-map DYNMAP 10
set transform-set SET
reverse-route
!        
!        
crypto map DYNMAP client authentication list USERLIST
crypto map DYNMAP isakmp authorization list GROUP
crypto map DYNMAP client configuration address respond
crypto map DYNMAP 10 ipsec-isakmp dynamic DYNMAP
!        
!        
!        
!        
!        
!        
interface FastEthernet0/0
ip address 172.16.0.250 255.255.252.0
ip nat inside
speed auto
full-duplex
!        
interface FastEthernet0/0.93
encapsulation dot1Q 93
ip address 172.20.2.5 255.255.255.252
!        
interface Serial0/0
no ip address
shutdown
no fair-queue
!        
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
no cdp enable
crypto map DYNMAP
!        
interface Serial0/1
no ip address
shutdown
no cdp enable
!        
!        
ip local pool ADDRESSPOOL 172.17.0.100 172.17.0.150
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 172.16.1.51 80 interface FastEthernet0/1 81
ip nat inside source static tcp 172.16.2.4 2909 interface FastEthernet0/1 2909
ip nat inside source static tcp 172.16.2.1 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 172.16.1.51 50000 interface FastEthernet0/1 50000
ip nat inside source static tcp 172.16.1.51 52000 interface FastEthernet0/1 52000
ip nat inside source static tcp 172.16.1.51 52001 interface FastEthernet0/1 52001
ip nat inside source static tcp 172.16.1.51 52002 interface FastEthernet0/1 52002
ip nat inside source static tcp 172.16.1.51 52003 interface FastEthernet0/1 52003
ip nat inside source static tcp 172.16.1.51 52004 interface FastEthernet0/1 52004
ip nat inside source static tcp 172.16.1.51 52005 interface FastEthernet0/1 52005
ip nat inside source static tcp 172.16.1.51 52006 interface FastEthernet0/1 52006
ip nat inside source static tcp 172.16.1.51 52007 interface FastEthernet0/1 52007
ip nat inside source static tcp 172.16.1.51 52008 interface FastEthernet0/1 52008
ip nat inside source static tcp 172.16.1.51 52009 interface FastEthernet0/1 52009
ip nat inside source static tcp 172.16.1.51 52010 interface FastEthernet0/1 52010
ip nat inside source static tcp 172.16.1.51 52011 interface FastEthernet0/1 52011
ip nat inside source static tcp 172.16.1.51 52012 interface FastEthernet0/1 52012
ip nat inside source static tcp 172.16.1.51 52013 interface FastEthernet0/1 52013
ip nat inside source static tcp 172.16.1.51 52014 interface FastEthernet0/1 52014
ip nat inside source static tcp 172.16.1.51 52015 interface FastEthernet0/1 52015
ip nat inside source static tcp 172.16.1.51 52016 interface FastEthernet0/1 52016
ip nat inside source static tcp 172.16.1.51 52017 interface FastEthernet0/1 52017
ip nat inside source static tcp 172.16.1.51 52018 interface FastEthernet0/1 52018
ip nat inside source static tcp 172.16.1.51 52019 interface FastEthernet0/1 52019
ip nat inside source static tcp 172.16.1.51 52020 interface FastEthernet0/1 52020
ip nat inside source static tcp 172.16.1.11 80 interface FastEthernet0/1 80
ip nat inside source static tcp 172.16.1.11 443 interface FastEthernet0/1 443
ip nat inside source static tcp 172.16.1.1 25 interface FastEthernet0/1 25
no ip http server
no ip http secure-server
ip classless
!        
ip pim bidir-enable
!        
access-list 1 permit 172.16.0.0 0.0.3.255
access-list 101 permit tcp any any eq 50000
access-list 101 permit tcp any any range 52000 52020
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 2909
access-list 150 permit ip 172.16.0.0 0.0.3.255 172.17.0.0 0.0.0.255
access-list 151 permit ip 172.16.0.0 0.0.3.255 any
!        
route-map NONAT permit 10
match ip address 151

!      
snmp-server community public RO
!        
!        
!        
!        
!        
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password -CENSORED-

!        
ntp clock-period 17180405
ntp source FastEthernet0/1
ntp server 162.23.41.34
ntp server 162.23.41.56
ntp server 162.23.41.55
!        
end     

Correct Answer by Marcin Latosiewicz about 6 years 9 months ago

Jenny,


The NAT config is a bit odd, you have list 1.

list 1 matches everything on inside. (soooo all traffic from inside subnet should be natted).


You should create an extended access-list and create entry


ip access-l ext 195

10 deny ip LOCAL_ADDRESS LOCAL_MASK VPN_POOL VPN_MASK

1000 perm ip LOCAL_ADDRESS LOCAL_MASK any


and apply that list to NAT overload.


Give this a try and let me know.



edit: Ouch, 12.3 Mainline ...Ollllllllllllld

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Sat, 07/03/2010 - 10:22
User Badges:
  • Cisco Employee,

Jenny,


Sometime works, sometimes does not is a very vague description.


If you run a constant ping, will it ever break? If it will break after what time will it break, when will it recover?


What is the SW version?


That's a very interesting definition, nothing wrong with it but everyone going through the config will have to look twice 

crypto map DYNMAP 10 ipsec-isakmp dynamic DYNMAP


Marcin

jemeier89 Sat, 07/03/2010 - 11:02
User Badges:

Hi Marcin,


Yes I agree, this definition is a bit confusing. I should change one parameter so that we can divide better between those two parameters.


In fact I can start pinging for example 172.16.1.51, but i could not access anything. The reply is coming from the public IP address.

If I want to ping 172.16.1.11 afterwards, it doesn't work. But If I pinged 172.16.1.11 first, then it would work but not 172.16.1.51.

So somehow it seems that the first address I ping works, but not any others. But still I can't access anything on that host.


show version:

Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 15:23 by dchih

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

router01 uptime is 22 weeks, 1 hour, 30 minutes
System returned to ROM by power-on
System restarted at 17:22:23 CET Sat Jan 30 2010
System image file is "flash:c2600-ik9o3s3-mz.123-26.bin"

Correct Answer
Marcin Latosiewicz Sat, 07/03/2010 - 11:16
User Badges:
  • Cisco Employee,

Jenny,


The NAT config is a bit odd, you have list 1.

list 1 matches everything on inside. (soooo all traffic from inside subnet should be natted).


You should create an extended access-list and create entry


ip access-l ext 195

10 deny ip LOCAL_ADDRESS LOCAL_MASK VPN_POOL VPN_MASK

1000 perm ip LOCAL_ADDRESS LOCAL_MASK any


and apply that list to NAT overload.


Give this a try and let me know.



edit: Ouch, 12.3 Mainline ...Ollllllllllllld

jemeier89 Sat, 07/03/2010 - 13:53
User Badges:

Marcin ... Thanks a lot for your help, this was it!


But can it be that the hosts involved in the static nat entries are not accessible?

(also the ports which are not involed.. for example port 80 on the host 172.16.1.51?)



yes, 12.3 is ooold .. but the newest IOS available on a 2621 (no XM)


Again, thanks for your fast help!

Marcin Latosiewicz Sat, 07/03/2010 - 14:43
User Badges:
  • Cisco Employee,

Jenny,


Glad it's working.


Can't really explain why it would work some time. I'm not big on NAT on routers, especially older releases ;-)


Marcin

Gaston Bougie Sat, 07/03/2010 - 16:45
User Badges:

Hi Marcin,


can you do a "show ip nat translation" on the router before and after "somthing" doesn't work?

And check the route-map option aswell to specify when to nat.


I'm very curious about the vage situation.

jemeier89 Sun, 07/04/2010 - 09:50
User Badges:

if i want to access for example 172.16.1.51 on port 80 (a host which is included in the static NAT list, but not with this port)

it doesn't work and it creates the following NAT entry.


Pro Inside global      Inside local       Outside local      Outside global

tcp PUBLICIP:81   172.16.1.51:80     172.17.0.117:49326 172.17.0.117:49326


Accessing 172.16.0.12 which isn't included in any way in the static NAT list, works without a problem and also do not get listed in the NAT table.

Actions

This Discussion