Re: Easy VPN and NAT Translations - Page 2

ignaciobajo · ‎02-25-2010

Hi, excuse my english, i will triy expalin correctly

I have a router cisco series 1800, i confgured a Easy VPN Server to access with Cisco VPN Clients. The client access to the local LAN with problems.

Later i need configured a PAT to access a server by the port 3389 from the public IP, the . It is rrunnig corretly

ip nat inside source static tcp 192.168.180.2 3389 interface Dialer1 3389

the problem is when a user established a VPN conection to the router and try access by the port 3389 to the server 192.168.180.2, the conecction don´t established. If i try access from public IP, the conecction established

Thank you

ignaciobajo · ‎02-26-2010

Perphaps it not possible connect throught VPn and Ip public by the same port simultaneosusly?

Lei Tian · ‎02-26-2010

Ok. Looks like it doenst work as it should be.

Let' s try another way.

1,Create a dummy interface and set a un-routeable ip and not used in your network like

interface lo100

ip add 172.16.1.1 255.255.255.0

2, create a route-map

route-map PBR

match ip address PBR

set ip next-hop 172.16.1.2

ip access ex PBR

per tcp host 192.168.180.2 eq 3389 10.10.10.0 0.0.0.255

3, apply the PBR on LAN interface

int vlan 1

ip policy route-map PBR

HTH,

Lei Tian

ignaciobajo · ‎02-26-2010

don´t run

Lei Tian · ‎02-26-2010

Ok,

Can you attach the latest

show run

show ip nat tran | in 192.168.180.2

show ip route

ignaciobajo · ‎02-26-2010

with the last modifications?

Lei Tian · ‎02-26-2010

Yes, please.

ignaciobajo · ‎03-01-2010

Hi Letian

In this momento all it´s ok, there was worng line in the router configuration.

Thank you for help

ignaciobajo · ‎03-01-2010

excuse me

I have other issue in the same router

I like that only the ip wan v.v.v.v access to the NAT port 3389. the resto of the IP WAN must rejected.

This is the route map and access list

ip local pool SDM_POOL_1 10.10.10.1 10.10.10.20

ip nat inside source route-map ITSA_1 interface Dialer1 overload

ip nat inside source static tcp 192.168.180.2 3389 y.y.y.y 3389 route-map ITSA_2 extendable
!

ip access-list extended ACL_HTTP
deny ip 192.168.180.0 0.0.0.255 10.10.10.0 0.0.0.255
deny tcp host 192.168.180.2 eq 3389 any
permit ip 192.168.180.0 0.0.0.255 any
!

access-list 110 deny ip host 192.168.180.2 10.10.10.0 0.0.0.255
access-list 110 permit tcp host 192.168.180.2 eq 3389 host v.v.v.v eq 3389
no cdp run
!
!
route-map ITSA_1 permit 1
match ip address ACL_HTTP
!
route-map ITSA_2 permit 1
match ip address 110

Lei Tian · ‎03-01-2010

Hi,

Trying to understand your requirement here. You want only allowed traffic from IP v.v.v.v be able to access your server 192.168.180.2 port 3389, and reject the traffic from other IP to your server?

You can just create an access control list and apply it inbound direction on your WAN interface.

The ACL should look like

ip access ex INBOUND

per tcp host v.v.v.v host y.y.y.y eq 3389

deny tcp any host y.y.y.y eq 3389

per ip any any

y.y.y.y is the server's public IP; v.v.v.v is the allowed WAN IP.

please rate if helps

Lei Tian

ignaciobajo · ‎03-01-2010

Don´t run

interface Dialer1
ip address y.y.y.y 255.255.255.192
ip access-group ACCESO_TS_NAT in

ip access-list extended ACCESO_TS_NAT
permit tcp host y.y.y.y host v.v.v.v eq 3389
deny tcp any host 195.55.94.213 eq 3389
permit ip any any

ignaciobajo · ‎03-02-2010

Excusme, all it ´s ok

My config was worng

Thank you