Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problem with NAT

Hi all,

My server 192.168.11.3 need to be accessible from external and by vpn clients at tcp port 3389. However my vpn clients could not access 192.168.11.3 at port 3389 because static NAT take precedence over generic NAT. Hence i added ip nat inside source static tcp 192.168.11.3 3389 2 2.2.2.2 3389 route-map nonat to resolve the problem. My vpn client was then able to access 192.168.11.3 at tcp port 3389. However a week later i notice that i could not access my 1841 using ssh and vpn out of a sudden which was working all the while. I had to remove ip nat inside source static tcp 192.168.11.3 3389 2 2.2.2.2 3389 route-map nonat after which i could access my 1841 using ssh and vpn. SNMP from external also fail Below is the rest of the config before i remove the static route-map. Pls advise why adding the static route-map would affect access to my 1841 via ssh and vpn from external and it happen a wk later. Thks in advance.

Current configuration : 5248 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router

!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username test privilege 15 secret 5 xxxxxxxxxxxxx

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login remote_auth local
aaa authorization network remote_auth local
aaa session-id common
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key test address 1.1.1.1
!
crypto isakmp client configuration group vpn
key test
dns 192.168.11.11
pool vpnpool
acl split_tunnel
crypto isakmp profile vpnclient
   match identity group vpngroup
   client authentication list remote_auth
   isakmp authorization list remote_auth
   client configuration address respond
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile vpnclient
reverse-route
!
!
crypto map test 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 120
crypto map test 65535 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
ip address 192.168.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test
ppp chap password 7 xxxxx

ppp pap sent-username test password 7 xxxxxxx
crypto map test
!
ip local pool vpnpool 10.10.10.1 10.10.10.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static 192.168.11.3 2 2.2.2.2 route-map nonat extendable
ip nat inside source static tcp 192.168.11.1 80 2.2.2.2 80 extendable
ip nat inside source static tcp 192.168.11.2 443 2.2.2.2 443 extendable
!
ip access-list extended inbound
evaluate mis
ip access-list extended outbound
permit ip any any reflect mis
ip access-list extended split_tunnel
permit ip 192.168.11.0 0.0.0.255 10.10.10.0 0.0.0.255
!
access-list 1 permit any
access-list 10 permit 3.3.3.3
access-list 10 permit 192.168.11.0 0.0.0.255
access-list 100 permit tcp any host 2.2.2.2 eq 80
access-list 100 permit tcp any host 2.2.2.2 eq 443

access-list 100 permit tcp host 4.4.4.4 host 2.2.2.2 eq 3389
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any any established
access-list 100 permit tcp any any ack
access-list 100 permit tcp any any psh
access-list 100 permit tcp any eq domain any
access-list 100 permit esp any any
access-list 100 permit tcp any host 2.2.2.2 eq 22
access-list 100 permit tcp any host 2.2.2.2 eq 443
access-list 110 deny   ip 192.168.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit ip 192.168.11.0 0.0.0.255 any
access-list 120 permit ip 192.168.11.0 0.0.0.255 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community test RO 10
snmp-server enable traps tty
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
end

  • LAN Switching and Routing
1 REPLY

Re: problem with NAT

Hi,

The fact that you add the route-map should not affect the SSH or access to the router.

I would think that it was unrelated to the added configuration (1-week after).

I would suggest to re-add the configuration and test again since as I said, should not affect.

However, keep an eye monitoring the device and enable logs to make sure that nothing is broken again.

Federico.

224
Views
0
Helpful
1
Replies
This widget could not be displayed.