07-26-2010 09:12 AM - edited 03-04-2019 09:11 AM
Hello,
My customer connects from his laptop to his cisco 876 using the cisco VPN client. He then starts a rdp session to the server. Now I want to connect to the same server via the WAN link. I followed this cisco document: Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static. But for some reasen when I add the line: ip nat inside source static 192.168.37.2 x.x.64.44 route-map RMAP the vpn cannot be established ( i'm not asked for the password), but I can then access the server via the WAN link over port 3389. In this line the 192.168.37.2 is the server, the x.x.64.44 is the WAN address. With the access list 110 this line should not nat the vpn 'rdp traffic' but nat the rdp traffice to my office.
Here is the configuration
interface Dialer1
ip address negotiated
ip access-group WANFilterInbound in
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username b@xs4all.nl password 7 105D1D1008071B0E5E
crypto map VPN-Map
!
interface Dialer0
no ip address
shutdown
no cdp enable
!
interface BVI1
ip address 192.168.37.20 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool B_POOL_1 10.10.38.1 10.10.38.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 150 interface Dialer1 overload
ip nat inside source static tcp 192.168.37.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.37.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.37.2 80 interface Dialer1 80
!
ip access-list extended WANFilterInbound
permit ip 10.10.38.1 0.0.0.255 any
permit ahp any any
permit esp any any
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp x.x.229.0 0.0.0.255 any eq 3389
permit tcp 10.10.38.0 0.0.0.255 any eq 3389
permit tcp any any eq smtp
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq ntp
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
!
access-list 110 deny tcp host 192.168.37.2 10.10.38.0 0.0.0.255 eq 3389
access-list 110 permit tcp host 192.168.37.2 any eq 3389
access-list 150 deny ip 192.168.37.0 0.0.0.255 10.10.38.0 0.0.0.255
access-list 150 permit ip 192.168.37.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map RMAP permit 10
match ip address 110
!
So the error I think must be in the access-list 110. 192.168.37.0/24 is the LAN, 10.10.38.0/24 is the vpn pool.
Any help is appreciated,
regards
Marc Henssen
07-26-2010 06:19 PM
Hello,
The access-list 110 is incorrect.
access-list 110 deny tcp host 192.168.37.2 10.10.38.0 0.0.0.255 eq 3389
access-list 110 permit tcp host 192.168.37.2 any eq 3389
In here you are saying that traffic from 192.168.37.2 (any port) to 10.10.38.0 subnet on port 3389 should be excempted from NAT rule. The correct format would be:
access-list 110 deny tcp host 192.168.37.2 eq 3389 10.10.38.0 0.0.0.255
access-list 110 permit tcp host 192.168.37.2 eq 3389 any
That should fix the issue.
Hope this helps.
Regards,
NT
07-29-2010 11:44 AM
Hello Nagaraja,
Thanks for your quick response, took me some days to test it.
You were absolutely right about the access list, messed up the 'ip nat inside' syntax with the access-list syntax, thanks for your answer.
The problem is still there as soon as I insert the line : ip nat inside source static 192.168.37.2 x.x.64.44 route-map RMAP the vpn cannot be established ( i'm not asked for the password), looks like some traffic is blocked. RDP from the WAN side works fine.
So what the problem is:
if i use ip nat inside source static tcp 192.168.27.2 3389 interface Dialer1 3389 then rdp from the WAN works fine, but rdp trafice over the VPN connection is send out to the internet. So what I need is a conditional NAT translation. I thought I can use the
ip nat inside source static 192.168.37.2 x.x.64.44 route-map RMAP line with
route-map RMAP permit 10
match ip address 110
access-list 110 deny tcp host 192.168.37.2 eq 3389 10.10.38.0 0.0.0.255
access-list 110 permit tcp host 192.168.37.2 eq 3389 any
I cannot understand how the 'ipnat inside ....RMAP' line can influence the VPN traffic as it only translates traffic from the ouside address to the 192.168.37.2 and back on port 3389.
Can anybody help?
regards
Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide