08-12-2013 12:30 PM
See config below.
Background: Originally I had this set up without the route-map Nonat1 on the ip nat inside statements. With this if I VPNed in to the network and tried to use one of the services that were translated they would not work becuase I would get replies from the external IP address.
For instance - I would VPN in and telnet to the 192.168.100.213:1352 and if I were capturing with wireshark I would get the external address response in the TCP handshake because it was being translated and it would fail. During my VPN connection I could telnet to the external address x.x.x.1:1352 without issue.
I added the route-map and solved the issue, bypassing those translations for the VPN net. My question is, is the way I did it the best way to do it or is there another way?
Thank you.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Lef871
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$iWHZ$kARifwBMTrEjbscna8v.X/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 group radius local
aaa authentication login sslvpn local
aaa authentication login userauthen group radius local
aaa authorization exec userauthen group radius local
aaa authorization network vpn_group_ml_1 group radius local
aaa authorization network LEF-VPNGrp group radius local
aaa authorization network groupauthor local
aaa authorization network userauthen group radius local
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name lefad.local
ip name-server 192.168.100.102
ip inspect name DEFAULT-INSPECT icmp
ip inspect name DEFAULT-INSPECT tcp
ip inspect name DEFAULT-INSPECT udp
no ipv6 cef
!
multilink bundle-name authenticated
!
password encryption aes
!
!
object-group network SOURCE_MGMT
192.168.100.0 255.255.255.0
173.160.106.40 255.255.255.248
71.63.249.0 255.255.255.0
!
object-group service SSH
tcp-udp eq 22
!
username admin privilege 15 secret 5 $1$Iu22$OiNXyxdNEkJiCzf3ulYe20
username greyduck privilege 15 secret 5 $1$MNkY$cpYetNgs4sPtiSg/ldVD31
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group LEF-Vxxx
key Tunnelxxxxx
dns 192.168.100.102
wins 192.168.100.102
domain lefad.local
pool LEF-Pool
acl 120
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address x.x.x.65 255.255.255.0 secondary
ip address x.x.x.67 255.255.255.0 secondary
ip address x.x.x.68 255.255.255.0 secondary
ip address x.x.x.69 255.255.255.0 secondary
ip address x.x.x.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
ip address 192.168.100.15 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool LEF-Pool 192.168.11.10 192.168.11.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.254
ip route 172.16.100.0 255.255.255.0 192.168.100.90
no ip http server
no ip http secure-server
!
!
ip nat pool WAN x.x.x.1 x.x.x.1 prefix-length 24
ip nat pool WAN-65 x.x.x.65 x.x.x.65 prefix-length 24
ip nat pool WAN-67 x.x.x.67 x.x.x.67 prefix-length 24
ip nat pool WAN-69 x.x.x.69 x.x.x.69 prefix-length 24
ip nat pool WAN-68 x.x.x.68 x.x.x.68 prefix-length 24
ip nat source static 192.168.100.214 x.x.x.68
ip nat inside source list 100 pool WAN overload
ip nat inside source list 101 pool WAN-65 overload
ip nat inside source list 102 pool WAN-67 overload
ip nat inside source list 103 pool WAN-68 overload
ip nat inside source list 104 pool WAN-69 overload
ip nat inside source static tcp 192.168.100.213 25 x.x.x.1 25 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 80 x.x.x.1 80 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 110 x.x.x.1 110 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 139 x.x.x.1 139 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 143 x.x.x.1 143 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 389 x.x.x.1 389 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 443 x.x.x.1 443 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 445 x.x.x.1 445 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 1352 x.x.x.1 1352 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 3101 x.x.x.1 3101 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.197 6001 x.x.x.1 6001 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 7443 x.x.x.1 7443 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 8080 x.x.x.1 8080 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 8085 x.x.x.1 8085 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 8642 x.x.x.1 8642 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 8889 x.x.x.1 8889 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 28315 x.x.x.1 28315 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.213 50125 x.x.x.1 50125 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.220 3389 x.x.x.1 63389 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.161 21 x.x.x.65 21 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.161 3389 x.x.x.65 3389 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.161 4899 x.x.x.65 4899 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.174 80 x.x.x.67 80 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.174 443 x.x.x.67 443 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.174 3389 x.x.x.67 3389 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.214 80 x.x.x.68 80 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.214 1352 x.x.x.68 1352 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.214 1533 x.x.x.68 1533 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.161 8088 x.x.x.68 8088 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.202 80 x.x.x.69 80 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.202 1494 x.x.x.69 1494 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.202 2598 x.x.x.69 2598 route-map Nonat1 extendable
ip nat inside source static tcp 192.168.100.202 6001 x.x.x.69 6001 route-map Nonat1 extendable
ip nat inside source static 192.168.100.202 x.x.x.69 route-map Nonat1
!
ip access-list extended MANAGEMENT
permit object-group SSH object-group SOURCE_MGMT any
ip access-list extended OUTSIDE-IN
!
logging trap debugging
access-list 11 permit 192.168.100.161
access-list 12 permit 192.168.100.174
access-list 12 permit 192.168.100.192
access-list 13 permit 192.168.100.214
access-list 14 permit 192.168.100.202
access-list 100 deny ip host 192.168.100.161 any
access-list 100 deny ip host 192.168.100.174 any
access-list 100 deny ip host 192.168.100.192 any
access-list 100 deny ip host 192.168.100.202 any
access-list 100 deny ip host 192.168.100.214 any
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.10
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.11
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.12
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.13
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.14
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.15
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.16
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.17
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.18
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.19
access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.20
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 deny ip host 192.168.100.161 192.168.11.0 0.0.0.255
access-list 101 permit ip host 192.168.100.161 any
access-list 102 deny ip host 192.168.100.174 192.168.11.0 0.0.0.255
access-list 102 deny ip host 192.168.100.192 192.168.11.0 0.0.0.255
access-list 102 permit ip host 192.168.100.174 any
access-list 102 permit ip host 192.168.100.192 any
access-list 103 deny ip host 192.168.100.214 192.168.11.0 0.0.0.255
access-list 103 permit ip host 192.168.100.214 any
access-list 104 deny ip host 192.168.100.202 192.168.11.0 0.0.0.255
access-list 104 permit ip host 192.168.100.202 any
access-list 120 permit ip 192.168.100.0 0.0.0.255 any log
access-list 130 deny ip 192.168.11.0 0.0.0.255 any
!
!
!
!
route-map Nonat1 permit 10
match ip address 130
!
!
radius-server host 192.168.100.212 auth-port 1645 acct-port 1646
radius-server key radius
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class MANAGEMENT in
transport input ssh
!
scheduler max-task-time 5000
end
Lef871(config)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide