Re: NAT and VPN

bbellamy · ‎02-19-2003

Please can someone help, this is driving me crazy. I can successfully connect to my cisco 2621 via the cisco VPN client but can only contact the systems that dont have the default route set as 10.1.1.3.

How can I modify the config so I can contact the systems in the 101 poilcy via VPN? I know that NAT is causing the problem as when i debug a telnet session to 10.1.2.1 its being translated as 21X.X.X.X.

I'd be very grateful for the input,

Kind Regards,

Bryan

CONFIG:

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group XXXXXX

key XXXXXX

pool nicvpnpool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

isdn switch-type basic-net3

isdn voice-call-failure 0

!

mta receive maximum-recipients 0

!

interface FastEthernet0/0

ip address 10.1.1.3 255.255.0.0

ip nat inside

ip policy route-map niclan

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description Kingston Internet

ip address 21X.X.X.X 255.255.XXX.XXX

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

!

ip local pool nicvpnpool 10.2.1.1 10.2.1.254

ip nat translation timeout 119

ip nat inside source list 101 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 21X.XXX.XXX.XXX permanent

no ip http server

!

access-list 101 remark Internet

access-list 101 permit ip 10.1.4.0 0.0.0.255 any

access-list 101 permit ip 10.1.3.0 0.0.0.255 any

!

route-map niclan permit 5

match ip address 101

set default interface FastEthernet0/1

!

radius-server authorization permit missing Service-Type

no call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

banner login

########################################

# #

# UNAUTHORISED ACCESS PROHIBITED #

########################################

!

line con 0

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXXXX

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXX

!

end

jfrahim · ‎02-19-2003

Hi there,

What you need to do is:

no ip nat inside source list 101 interface FastEthernet0/1 overload

interface FastEthernet0/0

no ip policy route-map niclan

then:

access-list 111 deny ip 10.1.4.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 111 deny ip 10.1.3.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 111 permit ip 10.1.4.0 0.0.0.255 any

access-list 111 permit ip 10.1.3.0 0.0.0.255 any

route-map nonat permit 10

match ip address 111

ip nat inside source route-map nonat interface FastEthernet0/1 overload

Hope that helps

Jazib

bbellamy · ‎02-20-2003

Many thanks, that kinda works but my Dialer was not working. He's a more detailed config. Many thanks in advance for your time.

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname NIC-RTR2

!

enable secret 5 $1$XXXXXXXXXX//

!

username rtrXXXXX privilege 0 password 7 0XXXXXXX

username nicXXX password 7 0XXXXXXX

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

ip domain name nic.XXXXXXX

ip name-server 10.1.5.1

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group 56client

key cisco1111223

dns 10.1.5.1

domain nic.XXXXXX

pool nicvpnpool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

isdn switch-type basic-net3

isdn voice-call-failure 0

!

mta receive maximum-recipients 0

!

interface FastEthernet0/0

description NICLAN

ip address 10.20.1.5 255.255.0.0 secondary

ip address 10.1.1.3 255.255.0.0

ip nat inside

ip policy route-map niclan

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description Kingston Internet

ip address 213.XXXXX 255.XXXXX

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

!

interface Serial0/1

no ip address

ip broadcast-address 0.0.0.0

shutdown

!

interface BRI1/0

no ip address

encapsulation ppp

dialer pool-member 1

isdn switch-type basic-net3

no cdp enable

!

interface BRI1/1

no ip address

ip broadcast-address 0.0.0.0

shutdown

isdn switch-type basic-net3

!

interface BRI1/2

no ip address

ip broadcast-address 0.0.0.0

shutdown

isdn switch-type basic-net3

!

interface BRI1/3

no ip address

ip broadcast-address 0.0.0.0

shutdown

isdn switch-type basic-net3

!

interface Dialer2

description ISDN to Demon

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer idle-timeout 180

dialer string 08440416672

dialer-group 2

no cdp enable

ppp authentication chap pap callin

ppp chap hostname XXXXX

ppp chap password 7 1XXXXXXXXX2

ppp pap sent-username pXXX password 7 1XXXXXXX

!

ip local pool nicvpnpool 10.2.1.1 10.2.1.254

ip nat translation timeout 119

ip nat inside source list 101 interface FastEthernet0/1 overload

ip nat inside source list 104 interface Dialer2 overload

ip nat inside source static tcp 10.1.5.1 25 interface Dialer2 25

ip classless

ip route 0.0.0.0 0.0.0.0 213.XXXXX permanent

ip route 10.150.0.0 255.255.0.0 10.1.1.1 permanent

ip route 139.85.104.0 255.255.255.0 10.1.1.20 permanent

ip route 139.85.128.0 255.255.255.0 10.1.1.20 permanent

ip route 172.22.0.0 255.255.0.0 10.1.1.20 permanent

no ip http server

!

ip access-list extended BRI1/0:1

ip access-list extended default-domain

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended nicvpnpool

!

logging 10.1.2.1

access-list 2 remark Addresses permitted to telnet to NIC-RTR2

access-list 2 permit 10.1.3.0 0.0.0.255

access-list 2 permit 10.1.4.0 0.0.0.255

access-list 101 remark Kingston Internet

access-list 101 permit ip host 10.1.45.5 any

access-list 101 permit ip 10.1.4.0 0.0.0.255 any

access-list 101 permit ip 10.1.3.0 0.0.0.255 any

access-list 101 permit ip host 10.20.1.3 any

access-list 101 permit ip host 10.1.2.1 any

access-list 104 remark Addresses permitted to access Demon

access-list 104 permit ip host 10.20.1.2 any

access-list 104 permit ip host 10.1.5.1 any

access-list 111 deny ip 10.1.3.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 111 deny ip 10.1.4.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 111 deny ip host 10.1.2.1 10.2.1.0 0.0.0.255

access-list 111 deny ip host 10.1.45.5 10.2.1.0 0.0.0.255

access-list 111 deny ip host 10.20.1.3 10.2.1.0 0.0.0.255

access-list 111 permit ip 10.1.3.0 0.0.0.255 any

access-list 111 permit ip 10.1.4.0 0.0.0.255 any

access-list 111 permit ip host 10.1.2.1 any

access-list 111 permit ip host 10.1.45.5 any

access-list 111 permit ip host 10.20.1.3 any

dialer-list 2 protocol ip permit

!

route-map niclan permit 5

match ip address 101

set default interface FastEthernet0/1

!

route-map niclan permit 20

match ip address 104

set default interface Dialer2

!

radius-server authorization permit missing Service-Type

no call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

banner login

########################################

!

line con 0

exec-timeout 0 0

privilege level 0

password 7 0505091B32425D05

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 0 0

privilege level 0

password 7 1XXXXXXXX6

!

end