The VPN client is able to authenticate with no problems and I can ping the Ethernet interface of the router and other devices once connected.
The problem arises when I try to get to the mail server. I try telnet to the internal IP of the server 192.0.0.5 on port 25 to ascertain that I can establish an SMTP connection, once I try this I can no longer ping anything on the LAN. If I disconnect the VPN session and connect again I can then ping the LAN devices again until I try to access the mail server.
As you will be able to see in the config below I have created an access list (ACL 101) for split tunnelling and no NAT rule (ACL 105) so that the traffic over the VPN does not NAT for connection to the mail server over the VPN
The Mail server has a 1 to 1 NAT set up for SMTP and this is working fine form all external sources the problem is when I am using a VPN client connection to it.
I have tried client versions 4.01 and 3.6.2 for the connection and the IOS version I am using is c1700-k9o3sy7-mz.122-13.T3
Are there any problems that may be apparent in either what is being attempted or possibly the IOS version etc?
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
crypto isakmp client configuration group vpnsession
Did you find a solution? It seems that the static NAT is processed before the VPN so that the mail server IP address is translated before it goes through the encryption process, so the client can no longer talk to the inside address. Is there an IOS fix for this "feature". It can be done on a PIX so there should be something to fix this on an IOS router. Can anyone help? I can't find any solutions on Cisco's site but this must be a common scenario.
You can fix it for dynamic NAT but not for static, as far as I can see.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...