VPN Client Needs to Connect to Inside Global IP Address vs Outside Global
VPN Client Needs to Connect to Inside Global IP Address versus using Serial Outside Global IP Address.
Our company has a customer that has a Sprint T1 to the internet. The customer has recently requested that we configure their current Cisco 2621XM router to support Cisco VPN Client connectivity.
The router does have the required VPN feature set, and I configured the router the same way I had for all the other VPN client configurations that we have done, but for this customer, it did not work.
After some troubleshooting, found out that Sprint does not route traffic destined for the customer's serial outside global IP address. The rest of the internet does, but the first Sprint router that that packet hits, gets dropped by that Sprint router.
Therefore, Sprint only fully routes packets that are destined for the Sprint assigned Inside Global IP address range.
I have configured a test lab to experiment with, that emulates the customers router, the internet, and a remote VPN client. When the VPN client aims its tunnel at an inside global ip address, the best I can get is that the tunnel does build, but no traffic flows. If I only change the VPN client to aim at the outside global IP, the tunnel builds, and traffic does flow great. But I have to get it working with the Inside global IP, not the Outside Global IP.
Has anyone else run into this problem, or does anyone at all know how to modify the programming of the router so that packets can correctly flow through a VPN tunnel built to an inside global IP address.
The actual IP address assigned to the FastEthernet LAN interface is a private 192.168.1.x /24 address. There is no actual interface that has any of the Inside Global IP addresses physically assigned. Most of the Inside Global IP addresses are statically NAT mapped to internal private hosts. There are a few Inside Global IP addresses available for use.
I just have no idea what to do with the Cisco Router programming to adjust for the different address that the VPN client must aim at.
I have all the current programming I have tried thus far that I can cut and paste here if necessary. Just posting this now to see if any one responds and thinks they may be able to help.
Re: VPN Client Needs to Connect to Inside Global IP Address vs O
Have you tried applying the command
crypto map MAP-NAME local-address INTERFACE
Does the router have any globally routable addresses attched to any interface, if so use that interface in the above command.
I'm thinking here that the tunnel from the router to the client is using the outside address of the router as its source, but the client is using another address to connect to. So the client connects to one address but its replies come from another. If this was the case I'm not sure if the tunnel would even come up though.
The other problem this could be due to is that the tunnel crosses a NAT/PAT boundary, in which case NAT-T is required.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...