09-22-2003 04:38 AM - edited 02-21-2020 12:47 PM
HI,
The VPN client is able to authenticate with no problems and I can ping the Ethernet interface of the router and other devices once connected.
The problem arises when I try to get to the mail server. I try telnet to the internal IP of the server 192.0.0.5 on port 25 to ascertain that I can establish an SMTP connection, once I try this I can no longer ping anything on the LAN. If I disconnect the VPN session and connect again I can then ping the LAN devices again until I try to access the mail server.
As you will be able to see in the config below I have created an access list (ACL 101) for split tunnelling and no NAT rule (ACL 105) so that the traffic over the VPN does not NAT for connection to the mail server over the VPN
The Mail server has a 1 to 1 NAT set up for SMTP and this is working fine form all external sources the problem is when I am using a VPN client connection to it.
I have tried client versions 4.01 and 3.6.2 for the connection and the IOS version I am using is c1700-k9o3sy7-mz.122-13.T3
Regards
Leig maxwell
Are there any problems that may be apparent in either what is being attempted or possibly the IOS version etc?
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
ip cef
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnsession
key xxxxx
pool ippool
acl 101
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
ip address 192.0.0.27 255.255.255.0
ip access-group 122 out
ip nat inside
speed auto
!
interface Dialer1
ip address 217.x.x.x 255.255.255.248
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
ppp chap hostname xxx
ppp chap password xxx
ppp pap sent-username xxx password xxx
crypto map clientmap
!
ip local pool ippool 192.168.1.0 192.168.1.254
ip nat pool branch 217.x.x.x 217.x.x.x netmask 255.255.255.248
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static 192.0.0.5 217.x.x.x
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.1.1.0 255.255.255.0 192.0.0.6
ip http server
ip pim bidir-enable
!
ip access-list extended protocol
ip access-list extended service
!
no logging trap
access-list 1 permit 192.0.0.0 0.0.0.255
access-list 1 permit 192.1.1.0 0.0.0.255
access-list 20 permit 62.6.171.128 0.0.0.15
access-list 20 permit 192.0.0.0 0.0.0.255
access-list 101 permit ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 deny ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit ip 192.0.0.0 0.0.0.255 any
access-list 111 permit tcp any host 217.x.x.x eq smtp
access-list 111 permit ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.0.0.0 0.0.0.255
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any log
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
!
route-map nonat permit 10
match ip address 105
09-22-2003 04:53 AM
Have you been checking the : Transport|Allow Local LAN Access--checkbox
Thanks
Atul.
09-22-2003 06:29 AM
I have not been using that option as the client needs not access anything on his LAN when connected to the HQ over the VPN tunnel.
Thanks
Leigh
09-24-2003 06:40 AM
Hi!
>access-list 101 permit ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Why do you enable split tunneling for this acl?? Split tunnel acl is used to denote traffic that's NOT sent to tunnel from client end...
Try taking that off...
SVu
12-11-2003 04:13 PM
Did you find a solution? It seems that the static NAT is processed before the VPN so that the mail server IP address is translated before it goes through the encryption process, so the client can no longer talk to the inside address. Is there an IOS fix for this "feature". It can be done on a PIX so there should be something to fix this on an IOS router. Can anyone help? I can't find any solutions on Cisco's site but this must be a common scenario.
You can fix it for dynamic NAT but not for static, as far as I can see.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide