Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Accessing NAT'd services over an IPSEC VPN - route-map question

I have two private networks connected via the internet over a site-to-site IPSEC VPN. I have dns servers running on each network which run multiple views, one resolving the private networks and one NAT'd to the internet resolving public addresses. because the name servers act as replicas, they need to be able to transfer zones both over the vpn and over the internet using their NAT'd addresses.

If I add a route map to the static NAT, a host in one network can query a dns server in the other network using it's private address, but not it's NAT'd internet address.

If I only have a route-map on the overload NAT then I can only query the remote DNS server by it's NAT'd address and not over the VPN.

In any case, the query is logged on the DNS server, and appears to have come from the correct address - ie. either the hosts private address when querying using the VPN or the primary networks public address when querying using the secondary networks public address, but the querying host never recieves the response.

a rough extract of the relevant configs.

ip nat inside source route-map no-nat-map interface FastEthernet4 overload

ip nat inside source static tcp 192.168.2.101 53 203.xx.xx.xx 53 route-map no-nat-map extendable

ip nat inside source static udp 192.168.2.101 53 203.xx.xx.xx 53 route-map no-nat-map extendable

!

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

!

route-map no-nat-map permit 1

match ip address 101

Any suggestions to resolve this, including references to relevant reading greatly appreciated!

1 REPLY
Bronze

Re: Accessing NAT'd services over an IPSEC VPN - route-map quest

Firewall MC translation logic generates one rule apiece for the translated (internal) and globally routable (external) addresses on a PIX Firewall.

Example of an internal rule: access-list acl_mdc_1_authentication_TACACS+ deny tcp object-group Group_FTP host 10.41.0.15 eq ftp

Example of an external rule: access-list acl_mdc_1_authentication_TACACS+ deny tcp object-group Group_FTP host 201.7.1.189 eq ftpan access-list

123
Views
0
Helpful
1
Replies