Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
1
Replies

VPN Client and static NAT entries conflicting

Go to solution
graham.fleming
Level 1
Level 1

‎02-17-2010 11:51 PM

Hello, we have an IPSEC VPN set up on a router for remote access. This works very well, mostly. We have also a few static PAT entries for allowing access to a web server etc from the outside. We deny NATting from the private IP range to the VPN client range and this works except for the entries that also have the PAT configurations.

So, for instance, we have web server 10.0.0.1 and a PAT forwarding port 10.0.0.1:80 to the WAN IP port 80. If a VPN client tries to connect to 10.0.0.1:80, the syn-ack packet comes back tot he VPN client from the router's WAN IP! If the VPN client connects to RDP server 10.0.0.2:3389, it works fine as this server doesn't have a static PAT entry.


Is there a way around this?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7

‎02-18-2010 09:44 AM

There is a way around, use the same settings you have for your dyanmic nat into your staitc nat entries, something like this:

currently it should show like:

ip nat inside source static XXXXX 80 XXXX 80

you would need to change it to

ip nat inside source static XXXX 80 XXXX 80 route-map YYYY

where your route map YYY is something defined with an acl where you deny traffic from inside of your router to the vpn pool

ip acess-list ext nonat

    deny ip 10.0.0.0 0.0.0.255

    permit ip 10.0.0.0 0.0.0.255 any

route-map YYYY permit 10

match ip address nonat

Same to all the static PAT you need

HTH

Ivan

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ivan Martinon
Level 7
Level 7

‎02-18-2010 09:44 AM

There is a way around, use the same settings you have for your dyanmic nat into your staitc nat entries, something like this:

currently it should show like:

ip nat inside source static XXXXX 80 XXXX 80

you would need to change it to

ip nat inside source static XXXX 80 XXXX 80 route-map YYYY

where your route map YYY is something defined with an acl where you deny traffic from inside of your router to the vpn pool

ip acess-list ext nonat

    deny ip 10.0.0.0 0.0.0.255

    permit ip 10.0.0.0 0.0.0.255 any

route-map YYYY permit 10

match ip address nonat

Same to all the static PAT you need

HTH

Ivan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents