×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

871 Termination Question

Unanswered Question
Aug 12th, 2013
User Badges:

See config below.


Background: Originally I had this set up without the route-map Nonat1 on the ip nat inside statements. With this if I VPNed in to the network and tried to use one of the services that were translated they would not work becuase I would get replies from the external IP address.


For instance - I would VPN in and telnet to the 192.168.100.213:1352 and if I were capturing with wireshark I would get the external address response in the TCP handshake because it was being translated and it would fail. During my VPN connection I could telnet to the external address x.x.x.1:1352 without issue.


I added the route-map and solved the issue, bypassing those translations for the VPN net. My question is, is the way I did it the best way to do it or is there another way? 


Thank you.




version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Lef871

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$iWHZ$kARifwBMTrEjbscna8v.X/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpn_xauth_ml_1 group radius local

aaa authentication login sslvpn local

aaa authentication login userauthen group radius local

aaa authorization exec userauthen group radius local

aaa authorization network vpn_group_ml_1 group radius local

aaa authorization network LEF-VPNGrp group radius local

aaa authorization network groupauthor local

aaa authorization network userauthen group radius local

!

!

aaa session-id common

!

!

dot11 syslog

ip source-route

!

!

!

!

ip cef

ip domain name lefad.local

ip name-server 192.168.100.102

ip inspect name DEFAULT-INSPECT icmp

ip inspect name DEFAULT-INSPECT tcp

ip inspect name DEFAULT-INSPECT udp

no ipv6 cef

!

multilink bundle-name authenticated

!

password encryption aes

!

!

object-group network SOURCE_MGMT

192.168.100.0 255.255.255.0

173.160.106.40 255.255.255.248

71.63.249.0 255.255.255.0

!

object-group service SSH

tcp-udp eq 22

!

username admin privilege 15 secret 5 $1$Iu22$OiNXyxdNEkJiCzf3ulYe20

username greyduck privilege 15 secret 5 $1$MNkY$cpYetNgs4sPtiSg/ldVD31

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group LEF-Vxxx

key Tunnelxxxxx

dns 192.168.100.102

wins 192.168.100.102

domain lefad.local

pool LEF-Pool

acl 120

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

archive

log config

  hidekeys

!

!

ip ssh time-out 60

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address x.x.x.65 255.255.255.0 secondary

ip address x.x.x.67 255.255.255.0 secondary

ip address x.x.x.68 255.255.255.0 secondary

ip address x.x.x.69 255.255.255.0 secondary

ip address x.x.x.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface Vlan1

ip address 192.168.100.15 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool LEF-Pool 192.168.11.10 192.168.11.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.254

ip route 172.16.100.0 255.255.255.0 192.168.100.90

no ip http server

no ip http secure-server

!

!

ip nat pool WAN x.x.x.1 x.x.x.1 prefix-length 24

ip nat pool WAN-65 x.x.x.65 x.x.x.65 prefix-length 24

ip nat pool WAN-67 x.x.x.67 x.x.x.67 prefix-length 24

ip nat pool WAN-69 x.x.x.69 x.x.x.69 prefix-length 24

ip nat pool WAN-68 x.x.x.68 x.x.x.68 prefix-length 24

ip nat source static 192.168.100.214 x.x.x.68

ip nat inside source list 100 pool WAN overload

ip nat inside source list 101 pool WAN-65 overload

ip nat inside source list 102 pool WAN-67 overload

ip nat inside source list 103 pool WAN-68 overload

ip nat inside source list 104 pool WAN-69 overload

ip nat inside source static tcp 192.168.100.213 25 x.x.x.1 25 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 80 x.x.x.1 80 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 110 x.x.x.1 110 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 139 x.x.x.1 139 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 143 x.x.x.1 143 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 389 x.x.x.1 389 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 443 x.x.x.1 443 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 445 x.x.x.1 445 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 1352 x.x.x.1 1352 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 3101 x.x.x.1 3101 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.197 6001 x.x.x.1 6001 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 7443 x.x.x.1 7443 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 8080 x.x.x.1 8080 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 8085 x.x.x.1 8085 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 8642 x.x.x.1 8642 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 8889 x.x.x.1 8889 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 28315 x.x.x.1 28315 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.213 50125 x.x.x.1 50125 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.220 3389 x.x.x.1 63389 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.161 21 x.x.x.65 21 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.161 3389 x.x.x.65 3389 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.161 4899 x.x.x.65 4899 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.174 80 x.x.x.67 80 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.174 443 x.x.x.67 443 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.174 3389 x.x.x.67 3389 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.214 80 x.x.x.68 80 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.214 1352 x.x.x.68 1352 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.214 1533 x.x.x.68 1533 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.161 8088 x.x.x.68 8088 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.202 80 x.x.x.69 80 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.202 1494 x.x.x.69 1494 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.202 2598 x.x.x.69 2598 route-map Nonat1 extendable

ip nat inside source static tcp 192.168.100.202 6001 x.x.x.69 6001 route-map Nonat1 extendable

ip nat inside source static 192.168.100.202 x.x.x.69 route-map Nonat1

!

ip access-list extended MANAGEMENT

permit object-group SSH object-group SOURCE_MGMT any

ip access-list extended OUTSIDE-IN

!

logging trap debugging

access-list 11 permit 192.168.100.161

access-list 12 permit 192.168.100.174

access-list 12 permit 192.168.100.192

access-list 13 permit 192.168.100.214

access-list 14 permit 192.168.100.202

access-list 100 deny   ip host 192.168.100.161 any

access-list 100 deny   ip host 192.168.100.174 any

access-list 100 deny   ip host 192.168.100.192 any

access-list 100 deny   ip host 192.168.100.202 any

access-list 100 deny   ip host 192.168.100.214 any

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.10

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.11

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.12

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.13

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.14

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.15

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.16

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.17

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.18

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.19

access-list 100 deny   ip 192.168.100.0 0.0.0.255 host 192.168.11.20

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 deny   ip host 192.168.100.161 192.168.11.0 0.0.0.255

access-list 101 permit ip host 192.168.100.161 any

access-list 102 deny   ip host 192.168.100.174 192.168.11.0 0.0.0.255

access-list 102 deny   ip host 192.168.100.192 192.168.11.0 0.0.0.255

access-list 102 permit ip host 192.168.100.174 any

access-list 102 permit ip host 192.168.100.192 any

access-list 103 deny   ip host 192.168.100.214 192.168.11.0 0.0.0.255

access-list 103 permit ip host 192.168.100.214 any

access-list 104 deny   ip host 192.168.100.202 192.168.11.0 0.0.0.255

access-list 104 permit ip host 192.168.100.202 any

access-list 120 permit ip 192.168.100.0 0.0.0.255 any log

access-list 130 deny   ip 192.168.11.0 0.0.0.255 any

!

!

!

!

route-map Nonat1 permit 10

match ip address 130

!

!

radius-server host 192.168.100.212 auth-port 1645 acct-port 1646

radius-server key radius

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class MANAGEMENT in

transport input ssh

!

scheduler max-task-time 5000

end



Lef871(config)#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion