Cisco 2811 VPN NATting|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||
|
Posted by Anthony J. Biacco on May 24, 2007, 11:26 am
Please log in for more thread options
I have Cisco VPN clients connecting to a Cisco 2811 to access private IP corporate resources. However, now I need them to access some internet-based IPs (our production network) over the VPN tunnels. This means enabling VPN clients to hit the internet through the 2811, which means NATing of their traffic out, since the VPN client IPs are private. I cannot figure out how to accomplish this. The connections to the now- secure routes to the internet-based IPs time out. ICMP from the VPN clients will hit nothing beyond the outside interface (Dialer1). I suspect it's something regarding the VPN clients coming in on the outbound interface (Dialer1) and then trying to go out that same interface to hit the internet-based IPs and not getting NATted. Can someone explain to me what i might be missing here? Here's relevant parts of my config. If you think other parts are relevant, I can provide those as well Thanx. xxx.xxx.xxx = Corporate public IPs zzz.zzz.zzz = Production public IPs yyy.yyy.yyy = Default internet route 192.168.167 = VPN client IPs 192.168.168 = Corporate DMZ 10.10.10 = Corporate Trust interface Dialer1 description $FW_OUTSIDE$ bandwidth 7000 ip address xxx.xxx.xxx.206 255.255.255.240 ip access-group 104 in ip nat outside ip inspect SDM_LOW out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 ppp authentication chap pap callin ppp chap hostname MYUSERNAME ppp chap password 0 MYPASSWORD ppp pap sent-username MYUSERNAME password 0 MYPASSWORD crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.167.2 192.168.167.10 ip route 0.0.0.0 0.0.0.0 yyy.yyy.yyy.yyy permanent ip route 10.0.0.0 255.0.0.0 192.168.192.1 permanent ! ! ip nat pool outsidepool xxx.xxx.xxx.195 xxx.xxx.xxx.204 netmask 255.255.255.240 ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload ip nat inside source static 192.168.168.2 xxx.xxx.xxx.193 route-map SDM_RMAP_3 ip nat inside source static 10.10.10.2 xxx.xxx.xxx.194 route-map SDM_RMAP_2 ! route-map SDM_RMAP_1 permit 1 match ip address 100 ! access-list 100 remark SDM_ACL Category=2 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.2 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.3 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.4 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.5 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.6 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.7 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.8 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.9 access-list 100 deny ip 192.168.168.0 0.0.0.255 host 192.168.167.10 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.2 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.3 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.4 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.5 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.6 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.7 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.8 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.9 access-list 100 deny ip 10.11.0.0 0.0.3.255 host 192.168.167.10 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.2 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.3 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.4 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.5 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.6 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.7 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.8 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.9 access-list 100 deny ip 10.10.10.0 0.0.0.255 host 192.168.167.10 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.2 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.3 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.4 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.5 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.6 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.7 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.8 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.9 access-list 100 deny ip 10.2.0.0 0.0.3.255 host 192.168.167.10 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.2 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.3 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.4 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.5 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.6 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.7 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.8 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.9 access-list 100 deny ip 10.1.0.0 0.0.3.255 host 192.168.167.10 access-list 100 deny ip any host 192.168.167.2 access-list 100 deny ip any host 192.168.167.3 access-list 100 deny ip any host 192.168.167.4 access-list 100 deny ip any host 192.168.167.5 access-list 100 deny ip any host 192.168.167.6 access-list 100 deny ip any host 192.168.167.7 access-list 100 deny ip any host 192.168.167.8 access-list 100 deny ip any host 192.168.167.9 access-list 100 deny ip any host 192.168.167.10 access-list 100 deny ip host 192.168.168.2 any access-list 100 deny ip host 10.10.10.2 any access-list 100 permit ip 192.168.168.0 0.0.0.255 any access-list 100 permit ip 10.1.0.0 0.0.3.255 any access-list 100 permit ip 10.10.10.0 0.0.0.255 any access-list 100 permit ip 10.2.0.0 0.0.3.255 any access-list 100 permit ip 192.168.167.0 0.0.0.255 any -Tony | |||||||
| Similar Threads | Posted |
| Cisco 2811 VPN NATting | May 24, 2007, 11:26 am |
| vpn on 2811 with overlapping networks and all natting on one side | November 26, 2007, 10:24 am |
| NATting out | October 1, 2009, 2:37 am |
| Natting the DMZ on an 877w | November 21, 2007, 4:08 pm |
| NATting both ways | January 15, 2008, 1:15 pm |
| PIX 515e - Double NATting? | November 14, 2006, 6:29 pm |
| Static Natting Command | October 24, 2009, 12:56 pm |
| Natting Outside to Inside with Port Access | January 18, 2008, 6:30 am |
| NATting just a small range of addresses on ASA 5505 | July 9, 2009, 9:58 am |
| mib for Cisco 2811 | October 31, 2005, 11:27 am |
| Cisco 2811 SDM | July 7, 2006, 7:31 am |
| Cisco 2811 and SIP, what do I need? | April 27, 2009, 10:08 am |
| Cisco 2811 max. troughput | May 9, 2006, 8:35 pm |
| IPSEC with a Cisco 2811? | May 3, 2007, 9:29 am |
| Cisco 2811 Easy VPN issue | October 4, 2005, 4:21 pm |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |