Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

LAN to LAN VPN when NAT is used

Hope someone can help. Trying to setup a VPN between my two sites using 1800 series routers. I used SDM to setup the router. The problem is this, I can ping a device at the remote LAN from any workstation, but if I ping from one of my servers which have a Static NAT entry, I cannot.

Thanks

14 REPLIES
Hall of Fame Super Blue

Re: LAN to LAN VPN when NAT is used

Hi

If you are not natting your workstations but are Natting your servers have you include the Natted address for the servers in your access-list that defines interesting traffic for the VPN.

If possible could you post configs with any sensitive info removed.

HTH

Jon

Community Member

Re: LAN to LAN VPN when NAT is used

Sure, I have removed keys and IP's for security. Workstations using NAT Pool.

Thanks!

Hall of Fame Super Blue

Re: LAN to LAN VPN when NAT is used

Hi

Looking at your config here's what i think is happening.

1) You have a natpool defined for your workstations.

2) This natpool is tied to a route-map. The route-map says don't use this NAT pool for any traffic from

192.168.1.0/24 to 192.168.2.0/24 &

192.168.1.0/24 to 192.168.3.0/24

3) 192.168.2.0 & 192.168.3.0/24 are the remote subnets at the end of your IPSEC vpns.

So when your workstations send traffic to either 192.168.2.0/24 or 192.168.3.0/24 they don't get natted.

Your servers however are statically natted so they do get natted. The nat takes place before the traffic gets matched against the VPN traffic and your VPN traffic is defined

192.168.1.0/24 -> 192.168.2.0/24 (access-list 103)

192.168.1.0/24 -> 192.168.3.0/24 (access-list 105).

The servers will never match these access-lists.

On a pix/ASA device you could exclude the servers from being NATTED if they are going down the VPN. You could try applying a route-map to the static NAT statements, saying only NAT the servers if they are not going to 192.168.2.0/24 or 192.168.3.0/24 but i'm not sure this will work. (I can check tomorrow when i'm back in work but you could try anyway).

If this doesn't work what you could do is expand access-list 103 & 105 to include the NATTED server IP addresses. You will need to make sure the access-lists are also modified on the remote site routers.

HTH

Jon

Community Member

Re: LAN to LAN VPN when NAT is used

Thanks Jon,

I think you're looking in the right direction. That's what I thought, I'll see what I can come up, but please do check when you get back to work, I would greatly appreciate it!

Thanks again.

Community Member

Re: LAN to LAN VPN when NAT is used

I found documentation that says I can enter "route-map" at the end of the static entry.

For example...

ip nat inside source static 192.168.1.3 "ip-removed" route-map SDM_RMAP_1

that should make the traffic for the static NAT look at the "SDM_RMAP_1" ACL.

I'll give it a try tonight.

Hall of Fame Super Blue

Re: LAN to LAN VPN when NAT is used

Okay. Let me know how it goes :-)

Community Member

Re: LAN to LAN VPN when NAT is used

Nah, that didn't work either. Don't understand this. I do work for another company that uses 2600 series and the config is almost identical except for a virtual interface and that router is connecting to a Linksys.

Very strange. Please let me know what you find out.

Hall of Fame Super Blue

Re: LAN to LAN VPN when NAT is used

Hi

Bad news. Did you try adding just one of the servers public IP addresses into your crypto map access-list on the devices at both ends ?

Jon

Community Member

Re: LAN to LAN VPN when NAT is used

Looks like it did work. Along with pinging FROM a server that was natted, I was also pinging TO a server that was natted on the remote LAN and I had not added the route-map command on that static NAT.

Thanks again for your help!

Bob M.

Hall of Fame Super Blue

Re: LAN to LAN VPN when NAT is used

And just when i had it all setup to test :-)

No problem, glad it worked

Jon

Community Member

Re: LAN to LAN VPN when NAT is used

Sorry about that!

I don't understand why SDM can make the neccessary NAT change for the address pool when setting up but not for static entries.

Community Member

Re: LAN to LAN VPN when NAT is used

whoops,

thought we solved the problem, but not so quick. looks like I can ping from site to site, but that's all I can do. Can't get to remote servers, websites, printers, etc.

Any ideas why I'm having this problem?

Hall of Fame Super Blue

Re: LAN to LAN VPN when NAT is used

Hi

Are you running CBAC on the remote 1800. Can you send me the config for the remote site as well.

It might be what you have in your access-list on the outside interface of your remote router. Remember you need to allow the traffic through on this access-list and you need to refer to the correct IP addresses.

Jon

Community Member

Re: LAN to LAN VPN when NAT is used

Hi Jon,

Turned out to be a mtu issue. Added the "crypto ipsec df-bit clear" in global and now I can access remote subnets with no problems.

I do have one last problem and that is, I cannot VPN to an internal Windows Server using PPTP. Internet access to NAT'ed www, mail, dns, etc all working perfectly. Can't seem to figure this one out. I've tried just about everything.

Here is my current config at one of my locations.

Thanks again Jon and if you see any other issues, please do let me know.

Bob M.

223
Views
0
Helpful
14
Replies
CreatePlease to create content