VPN and Nat

Unanswered Question
Sep 19th, 2010
User Badges:

Hello everyone...

I have a cisco 831, I configured with VPN access.

I do VPN with Cisco VPN Client.

I have some static NAT.

The question is..

How can exclude VPN to do NAT.
What  I want is that when I am connected via VPN, I want full access to my LAN without be translate (NAT).

Any additional information, just let me know.


Regards.


Joe.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Sun, 09/19/2010 - 21:54
User Badges:
  • Cisco Employee,

Hello,


Please try the following:


Consider that you have an inside server 192.168.1.1 which is running a web server and you are mapping it to outside interface ip (100.1.1.1). Let your VPN subnet be 10.1.1.0/24


access-list 101 deny tcp host 192.168.1.1 eq 80 10.1.1.0 0.0.0.255

access-list 101 permit tcp host 192.168.1.1 eq 80 any


route-map WebServer

match ip address 101

exit


ip nat inside source static tcp 192.168.1.1 80 100.1.1.1 80 route-map WebServer


For dynamic NAT,


access-list 102 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any


route-map GeneralNat

match ip address 10

exit


ip nat inside source route-map GeneralNat interface FastEthernet0 overload


Hope this helps.


Regards,


NT

Jose Pena Sun, 09/19/2010 - 22:21
User Badges:

I have this


ip nat inside source list 1 interface Ethernet1 overload

it means that I have to replace with this
ip nat inside source route-map GeneralNat interface FastEthernet0 overload
I have other configuration like this
ip nat inside source static tcp 192.168.100.10 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.100.10 80 interface Ethernet1 80
ip nat inside source static tcp 192.168.100.10 22 interface Ethernet1 5700
See my configuration and let me know how the changes can be done.
I want full access to LAN when I am doing VPN without be translated.
regards.

!
! Last configuration change at 23:09:02 PDT Fri Sep 17 2010 by ajpenn
! NVRAM config last updated at 23:09:10 PDT Fri Sep 17 2010 by ajpenn
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname manresa831
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login VPNUSER local
aaa authorization network VPNGROUP local
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
no ip source-route
!
!
!
!
ip cef
ip domain name mydomain.com
ip name-server 192.168.100.10
ip name-server 74.XX.XX.45
ip name-server 74.XX.XX.55
no ip bootp server
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
crypto pki trustpoint TP-self-signed-741011128
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-741011128
revocation-check none
rsakeypair TP-self-signed-741011128
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-741011128
certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37343130 31313132 38301E17 0D313030 39303330 34333035
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3734 31303131
  31323830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A3F043A7 4E0C02F3 1D3057B7 03DB065C CF452B44 D59C5FA7 C11245FB ED9B21EF
  D6734E2C B8301D6E 2F93547E A4F4B2B5 2D81551E 56BE2FBA 783DF860 B7A71AC0
  23512CA1 1D13BC82 CE2C1CA3 6DB10180 A133A9DB F722A60D 940E8608 BA955DEB
  A60ED1FA BB83A048 26948408 C6AAF467 EC76CA0F 2B165C87 046ACC2B DA4714C5
  02030100 01A37E30 7C300F06 03551D13 0101FF04 05300301 01FF3029 0603551D
  11042230 20821E6D 616E7265 73613833 312E7369 71746563 686E6F6C 6F676965
  732E636F 6D301F06 03551D23 04183016 80142F56 95C8DBFE 2CBF2BFD 99C7063A
  D7B9DF89 58C2301D 0603551D 0E041604 142F5695 C8DBFE2C BF2BFD99 C7063AD7
  B9DF8958 C2300D06 092A8648 86F70D01 01040500 03818100 58DEAD35 195BD90A
  02498CEA 1B406BC3 5178E6D8 5EC72008 D9DB6382 FEDB0D19 05B01815 F5DFDB15
  95652B3A 1E3F7EFF 753EFD23 7A925C88 E7C0F054 6904E817 096E03B9 046415C5
  1B58BA3C CC7AAAD0 640D0320 D6A1AC32 7BC53B02 7F2868E4 3293C3FA 6624F267
  38519F22 8CB76901 B7784B3B 58AB2D87 71D95AE2 AB129AAA
  quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
username ajpenn privilege 15 view root secret 5 xxxxxxxxxxxxxxxxxxxxxxx
archive
log config
  logging enable
  hidekeys
!
!
ip tcp synwait-time 10
!
class-map match-any CCP-Transactional-1
match  dscp af21
match  dscp af22
match  dscp af23
class-map match-any CCP-Voice-1
match  dscp ef
class-map match-any CCP-Routing-1
match  dscp cs6
class-map match-any CCP-Signaling-1
match  dscp cs3
match  dscp af31
class-map match-any CCP-Management-1
match  dscp cs2
!
!
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
  priority percent 45
class CCP-Signaling-1
  bandwidth percent 5
class CCP-Routing-1
  bandwidth percent 5
class CCP-Management-1
  bandwidth percent 5
class CCP-Transactional-1
  bandwidth percent 5
class class-default
  fair-queue
  random-detect
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNTUNNEL
key xxxxxxxxxxxxxxxxxxxxxxx
dns 192.168.100.10
wins 192.168.100.10
domain mydomain.com
pool VPNPOOL
acl 101
!
!
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
!
crypto dynamic-map MY_DYN_MAP 10
set transform-set ESP-3DES
reverse-route
!
!
crypto map OUTSIDE_MAP client authentication list VPNUSER
crypto map OUTSIDE_MAP isakmp authorization list VPNGROUP
crypto map OUTSIDE_MAP client configuration address initiate
crypto map OUTSIDE_MAP client configuration address respond
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic MY_DYN_MAP
!
!
!
interface Ethernet0
description LAN$ETH-LAN$$FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
no ip mroute-cache
no cdp enable
!
interface Ethernet1
description WAN$ETH-WAN$$FW_OUTSIDE$
ip address 172.1.1.168 255.255.255.0
ip access-group 104 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip inspect CCP_LOW out
ip virtual-reassembly
duplex auto
no cdp enable
crypto map OUTSIDE_MAP
service-policy output CCP-QoS-Policy-1
!
interface Ethernet2
no ip address
no ip redirects
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip local pool VPNPOOL 10.10.100.1 10.10.100.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.1.1.1
!
ip http server
ip http access-class 1
ip http secure-server
!
ip dns server
ip dns spoofing
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.100.10 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.100.10 80 interface Ethernet1 80
ip nat inside source static tcp 192.168.100.10 993 interface Ethernet1 993
ip nat inside source static tcp 192.168.100.10 53 interface Ethernet1 53
ip nat inside source static tcp 192.168.100.10 143 interface Ethernet1 143
ip nat inside source static tcp 192.168.100.10 443 interface Ethernet1 443
ip nat inside source static tcp 192.168.100.10 22 interface Ethernet1 5700
ip nat inside source static tcp 192.168.100.10 110 interface Ethernet1 995
ip nat inside source static tcp 192.168.100.10 465 interface Ethernet1 465
ip nat inside source static tcp 192.168.100.96 5900 interface Ethernet1 5902
ip nat inside source static tcp 192.168.100.97 5900 interface Ethernet1 5901
!
!
ip access-list standard NATAddresses
permit 192.168.100.0 0.0.0.255
!
ip access-list extended NatOutsideIn
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit ahp any any
permit esp any any
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any unreachable
permit icmp any any traceroute
permit icmp any any echo-reply
permit icmp any any echo log-input
permit tcp any any eq smtp
permit tcp any any eq www
permit tcp host 192.168.100.0 any eq 22
permit tcp host 10.10.100.0 any eq 22
permit tcp any any eq domain
permit tcp any any eq 993
permit tcp any any eq 143
permit tcp any any eq 443
permit tcp any any eq pop3
permit tcp any any eq 995
permit tcp any any eq 465
permit tcp any any eq 5700
permit tcp any any eq 5900
permit tcp any any eq 5901
permit tcp any any eq 5902
permit udp host 131.107.1.10 host 172.1.1.168 eq ntp
permit udp host 140.142.16.34 host 172.1.1.168 eq ntp
deny   ip 192.168.100.0 0.0.0.255 any log-input
deny   ip host 255.255.255.255 any
deny   icmp any any redirect
deny   icmp any any timestamp-request
logging trap debugging
logging facility syslog
logging 192.168.100.0
logging 10.10.100.0
logging 192.168.100.10
access-list 23 permit 10.10.100.0 0.0.0.255
access-list 23 permit 192.168.100.0 0.0.0.255
access-list 23 deny   any
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 100 permit udp host 131.107.1.10 eq ntp host 192.168.100.1 eq ntp
access-list 100 remark Auto generated by SDM for NTP (123) 140.142.16.34
access-list 100 permit udp host 140.142.16.34 eq ntp host 192.168.100.1 eq ntp
access-list 100 deny   ip 172.1.1.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq 22
access-list 100 permit tcp 10.10.100.0 0.0.0.255 host 192.168.100.1 eq 22
access-list 100 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq www
access-list 100 permit tcp 10.10.100.0 0.0.0.255 host 192.168.100.1 eq www
access-list 100 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq 443
access-list 100 permit tcp 10.10.100.0 0.0.0.255 host 192.168.100.1 eq 443
access-list 100 permit tcp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq cmd
access-list 100 permit udp 192.168.100.0 0.0.0.255 host 192.168.100.1 eq snmp
access-list 100 deny   tcp any host 192.168.100.1 eq telnet
access-list 100 deny   tcp any host 192.168.100.1 eq 22
access-list 100 deny   tcp any host 192.168.100.1 eq www
access-list 100 deny   tcp any host 192.168.100.1 eq 443
access-list 100 deny   tcp any host 192.168.100.1 eq cmd
access-list 100 deny   udp any host 192.168.100.1 eq snmp
access-list 100 permit ip any any
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip 192.168.100.0 0.0.0.255 any
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host 74.XX.XX.55 eq domain host 172.1.1.168
access-list 104 permit udp host 74.XX.XX.45 eq domain host 172.1.1.168
access-list 104 permit tcp any host 172.1.1.168 eq smtp
access-list 104 permit tcp any host 172.1.1.168 eq www
access-list 104 permit tcp any host 172.1.1.168 eq 993
access-list 104 permit tcp any host 172.1.1.168 eq domain
access-list 104 permit tcp any host 172.1.1.168 eq 143
access-list 104 permit tcp any host 172.1.1.168 eq 443
access-list 104 permit tcp any host 172.1.1.168 eq 5700
access-list 104 permit tcp any host 172.1.1.168 eq 995
access-list 104 permit tcp any host 172.1.1.168 eq 465
access-list 104 permit tcp any host 172.1.1.168 eq 5902
access-list 104 permit tcp any host 172.1.1.168 eq 5901
access-list 104 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 104 permit udp host 131.107.1.10 eq ntp host 172.1.1.168 eq ntp
access-list 104 remark Auto generated by SDM for NTP (123) 140.142.16.34
access-list 104 permit udp host 140.142.16.34 eq ntp host 172.1.1.168 eq ntp
access-list 104 permit ahp any host 172.1.1.168
access-list 104 permit esp any host 172.1.1.168
access-list 104 permit udp any host 172.1.1.168 eq isakmp
access-list 104 permit udp any host 172.1.1.168 eq non500-isakmp
access-list 104 permit ip 10.10.100.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 104 deny   ip 192.168.100.0 0.0.0.255 any
access-list 104 permit icmp any host 172.1.1.168 echo-reply
access-list 104 permit icmp any host 172.1.1.168 time-exceeded
access-list 104 permit icmp any host 172.1.1.168 unreachable
access-list 104 permit tcp host 66.92.24.34 host 172.1.1.168 eq 443
access-list 104 permit tcp host 66.92.24.34 host 172.1.1.168 eq 22
access-list 104 permit tcp host 66.92.24.34 host 172.1.1.168 eq cmd
access-list 104 permit tcp host 66.92.24.34 host 172.1.1.168 eq 4443
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 111 permit ip 192.168.100.0 0.0.0.25 10.10.100.0 0.0.0.255
access-list 111 deny   ip 192.168.100.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 111 permit ip any any
access-list 199 deny   ip 192.168.100.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 199 permit ip 192.168.100.0 0.0.0.255 any
snmp-server community XXXXXXXXXX RO
!
no cdp run
!
route-map nonat permit 10
match ip address 199
!
tftp-server 192.168.100.10
!
!
control-plane
!
banner exec 
Remember!!!
This system is solely for the use of authorized users for official
purposes.
banner login 
***************************************************************************
* L E G A L N O T I C E -- Y O U M U S T R E A D *
***************************************************************************
* *
* You must have explicit permission to access or configure this *
* device. All activities performed on this device are logged and *
* violations of this policy may result in criminal prosecution. *
* *
***************************************************************************
* *
* This system is for the use of authorized users only. Individuals using *
* this computer system without authority, or in excess of their authority,*
* are subject to having all of their activities on this system monitored *
* and recorded by system personnel. *
* *
* *
* Anyone using this system expressly consents to such monitoring and is *
* advised that if such monitoring reveals possible evidence of criminal *
* activity, system personnel may provide the evidence of such monitoring *
* to law enforcement officials. *
* *
***************************************************************************
* UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED *
***************************************************************************
!
line con 0
no modem enable
line aux 0
line vty 0
access-class 102 in
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
transport input ssh
line vty 1 4
access-class 103 in
transport input none
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 131.107.1.10
sntp server 140.142.16.34
end

Jose Pena Sun, 09/19/2010 - 23:59
User Badges:

This part


route-map GeneralNat

match ip address 10

exit


the "match ip address 10", does the number 10 should be a access list? I don't see any "list 10" in the sample you gave me.


Thank you for your help.


regards.

Nagaraja Thanthry Mon, 09/20/2010 - 06:16
User Badges:
  • Cisco Employee,

Hello,


It was a typo. The access-list should have been "102". The route-map based solution will allow you to have full connectivity between the VPN clients and the internal LAN.


Hope this helps.


Regards,


NT

Jose Pena Tue, 09/21/2010 - 00:35
User Badges:

Nagaraja...

I entered the next info to my router

ip nat inside source route-map MainNat interface Ethernet1 overload


access-list 105 deny ip 192.168.100.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 105 permit ip 192.168.100.0 0.0.0.255 any

route-map MainNat
match ip address 105
exit
Where Ethernet1 if my outside interface, 192.168.100.0 LAN and VPN 10.10.100.0. I connected from my office to home and I tried to have access to my port 22 in the server but it didn't work.
See my configuration above and check that I'm doing PAT (I'm not sure about the term), the line
ip nat inside source static tcp 192.168.100.10 22 interface Ethernet1 5700
When I get connected via VPN and I tried to get direct access to my internal server with the port 22, the connection never get connected.
Somebody told me that the connection is translated before enter to the VPN. How can I exclude to be translate my VPN traffic.
See configuration entered and let me know what wrong.
Thank you so much for the help.
JoeP

Actions

This Discussion