Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN with Static NAT

Hi

I have a issue at a client with an IPSEC site to site VPN set up on a Cisco 877 router.  The issue is partially described here http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

but with some differences.

Firstly the client has an SBS Server that static NATs have been configured to port forward 25 and 443 to,

eg: ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25.

The remote site network is a public IP range not Public , and has rules that restricts the VPN to rdp and web ports from our Private network.

There is an ACL to tell the router not to Nat the private (Our Network) to public (remote site) traffic.  I haven't configured a route map as I actually want the static nat to take precedence

The VPN works fine except for Mail. The remote site has a Mail server that cannot send mail to the SBS Server.  What I see happening is the remote site tries to send mail to our external address using our MX record , this traffic arrives unencrypted and I see the Translation in the show IP Nat translations.  But the connection times out.   When I try to send mail from the SBS server to the remote site,  there is no translation in the table and again the connection times out.  I am assuming that in my case the static translation is not taking  precedence. 

This is confusing me as if Static nat worked as described in the above article without the use of a route map I wouldn't have an issue. 

Has anybody else seen this behavour. 

I read somewhere that NAT access-lists dont work with port numbers.  I was thinking of putting in deny statements based only on the ports allowed over the VPN in the NAT ACL.

Any help would be appreciated.

6 REPLIES
Super Bronze

Re: VPN with Static NAT

From my understanding you would like to use Dialer0 ip address for mail traffic from your remote site which is connected via site-to-site vpn tunnel.

On your crypto ACL, do you have crypto ACL between your Dialer0 and the remote LAN, and mirror image on your remote site?

New Member

Re: VPN with Static NAT

Thanks for the quick reply.

"From my understanding you would like to use Dialer0 ip address for mail traffic from your remote site which is connected via site-to-site vpn tunnel."

Yes I do want to use the Dialer0 ip address for mail traffic to the remote site but I dont want it to go over the VPN as this is restricted at the remote site to rdp and www originating on our Private network.

"On your crypto ACL, do you have crypto ACL between your Dialer0 and the remote LAN, and mirror image on your remote site?"

The Crypto ACL is just between our Private Network and the remote LAN.  The remote site is the same.  Which is why when mail is sent to us to our MX address , the Dialer0 ip address, it is not encrypted.

Hope this clarifies things.

Andy

Re: VPN with Static NAT

Post scrubbed config please.

Super Bronze

Re: VPN with Static NAT

OK, so my initial understanding is incorrect.

Based on your last post, remote site would like to access the mail server on main site not going through the VPN tunnel.

Based on that, your remote site needs to have NAT configured to PAT traffic outbound to the internet.

Can you please share the translation/nat configuration on your remote site.

New Member

Re: VPN with Static NAT

Thanks for your replies -- fixed now,  slightly embarassed to admit it , but after looking at the config for the nth time an entry in the Inside interface access-lists stood out and I removed it -- Static now working as described here.-- http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Super Bronze

Re: VPN with Static NAT

Great to hear. Thanks.

319
Views
0
Helpful
6
Replies