Solved: VPN and Static NAT problem

rasoftware · ‎09-11-2006

I have a problem which I have seen on several post and also this article.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

When I configure this as explained I am able to RDP from both external and via the VPN tunnel but I loose internet access from the server I am RDP too.

Below is relevant seconds of my config. I am on network 192.100.150.0/24 and remote is 192.168.0.0/24

ip nat inside source route-map InsideNAT interface FastEthernet4 overload

ip nat inside source static tcp 192.168.0.10 3389 217.37.253.100 3389 extendable

route-map AllowRDP permit 10

match ip address 150

!

route-map InsideNAT permit 10

match ip address 100

access-list 150 deny tcp host 192.168.0.10 eq 3389 192.100.150.0 0.0.0.255 eq 3389

access-list 150 permit ip host 192.168.0.10 any

access-list 100 remark SDM_ACL Category=18

access-list 100 remark IPSec Rule

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.100.150.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

What I tried was...

ip nat inside source static tcp 192.168.0.10 3389 217.37.253.100 3389 route-map AllowRDP extendable instead of above as I understand static NAT to take precedence.

I don't understand why I can't access the internet from the machine I am RDPing too. Without the route-map AllowRDP it works great.

Edison Ortiz · ‎09-12-2006

Bob,

I believe I know what the problem is.

When you don't use the route-map, the static nat only checks for packet with source port 3389 and it translates it to the external IP. Other ports falls under the InsideNAT route-map.

When you use the route-map AllowRDP, you are matching all ip packets from 192.168.0.10 to any host and then you are trying to NAT it within static nat statement which allows only port 3389.

For this to work with the route-map, you need to do the following:

Either do a static nat with all ports included

or

have this command in acl 150

access-list 150 deny tcp host 192.168.0.10 eq 3389 192.100.150.0 0.0.0.255 eq 3389

access-list 150 permit tcp host 192.168.0.10 eq 3389 any 3389

The rest of the packets will match ACL 100.

______

Please rate helpful posts.

Thanks

View solution in original post

Edison Ortiz · ‎09-11-2006

Can you post a debug from that route-map ?

rasoftware · ‎09-11-2006

How do I get that output? Thanks

Edison Ortiz · ‎09-11-2006

#debug ip packet 150 detail

rasoftware · ‎09-11-2006

I get this from term mon with debug on with the static translation with route-map AllowRDP appended to the end (no internet when this is on)

*Mar 14 01:33:26.254: IP: s=192.168.0.10 (local), d=66.249.93.147 (FastEthernet4), len 40, sending

*Mar 14 01:33:26.254: TCP src=2290, dst=80, seq=3048191981, ack=0, win=0 RST

*Mar 14 01:33:31.366: IP: tableid=0, s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), routed via RIB

*Mar 14 01:33:31.366: IP: s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), len 78, rcvd 3

*Mar 14 01:33:31.366: UDP src=137, dst=137

*Mar 14 01:33:32.118: IP: tableid=0, s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), routed via RIB

*Mar 14 01:33:32.118: IP: s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), len 78, rcvd 3

*Mar 14 01:33:32.118: UDP src=137, dst=137

*Mar 14 01:33:32.866: IP: tableid=0, s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), routed via RIB

*Mar 14 01:33:32.866: IP: s=192.168.0.10 (Vlan1), d=192.168.0.255 (Vlan1), len 78, rcvd 3

*Mar 14 01:33:32.866: UDP src=137, dst=137

Edison Ortiz · ‎09-11-2006

According to

*Mar 14 01:33:26.254: IP: s=192.168.0.10 (local), d=66.249.93.147 (FastEthernet4), len 40, sending

*Mar 14 01:33:26.254: TCP src=2290, dst=80, seq=3048191981, ack=0, win=0 RST

The packet is being sent. Can you post the

show ip nat trans

Also, you only lose internet for 0.10 device and not the rest, correct ?

rasoftware · ‎09-12-2006

I checked and no translations appeared when it was failing to connect to the web. I'm not locally on the site but I would have thought it's just the .10 that cant connect.

Edison Ortiz · ‎09-12-2006

So the overlad and static translation do not show up while typing 'show ip nat trans' ?

That's really strange.

Can you verify when you get to the site ?

rasoftware · ‎09-12-2006

Hi sorry yes it does show the statics, what I mean't was no new translations were added. I have these (when connected via RDP).

Pro Inside global Inside local Outside local Outside global

tcp 217.37.253.100:3389 192.168.0.10:3389 81.178.198.219:2202 81.178.198.219:2202

tcp 217.37.253.100:3389 192.168.0.10:3389 --- ---

Edison Ortiz · ‎09-12-2006

Bob,

I believe I know what the problem is.

When you don't use the route-map, the static nat only checks for packet with source port 3389 and it translates it to the external IP. Other ports falls under the InsideNAT route-map.

When you use the route-map AllowRDP, you are matching all ip packets from 192.168.0.10 to any host and then you are trying to NAT it within static nat statement which allows only port 3389.

For this to work with the route-map, you need to do the following:

Either do a static nat with all ports included

or

have this command in acl 150

access-list 150 deny tcp host 192.168.0.10 eq 3389 192.100.150.0 0.0.0.255 eq 3389

access-list 150 permit tcp host 192.168.0.10 eq 3389 any 3389

The rest of the packets will match ACL 100.

______

Please rate helpful posts.

Thanks

rasoftware · ‎09-13-2006

thanks you very much - it now works via static NAT and VPN.

The appended route-map now makes sense!

Rob