1. Home
  2. Cisco Systems
  3. NAT question for Cisco 851 router

NAT question for Cisco 851 router

I am attempting to configure a Cisco 851 router in a small office environment.

I've configured an Easy VPN Server, to which I can connect with Cisco VPN client w/ no problem. Once connected with the client, I can SSH to the router without problems.

What I have not been able to do is connect to an internal server running terminal services (TCP port 3389) from a connected VPN client. The internal server address is 192.168.1.2.

I don't understand the NAT route map, since it seems to prohibit traffic from the local subnet to the clients that are assigned addresses from the VPN pool.

Please help!!!

Following is my startup configuration:

!This is the running config of the router: 192.168.1.1 !---------------------------------------------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname esirouter ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 $1$wk71$tHaNxneJDZrhuFHvLgb8Q0 ! username administrator privilege 15 secret 5 $1$qB7W$USua9BNt7dmgSp0iZBEL// username dmasters privilege 15 secret 5 $1$rEkL$W5VSbsT5Lg.30m1GWjyvN/ clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero no ip source-route ip dhcp excluded-address 192.168.1.1 192.168.1.99 ! ip dhcp pool sdm-pool1 import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 ! ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip tcp synwait-time 10 no ip bootp server no ip domain lookup ip domain name easternscientificinc.com ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 ! crypto isakmp client configuration group esivpnmain key erlight822! dns 192.168.1.2 pool VPNPOOL acl 102 save-password max-logins 5 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface FastEthernet0 no ip address no cdp enable ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address dhcp client-id FastEthernet4 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable crypto map SDM_CMAP_1 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! router rip network 192.168.1.0 no auto-summary ! ip local pool VPNPOOL 192.168.1.50 192.168.1.99 ip classless ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip host 192.168.1.50 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.51 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.52 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.53 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.54 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.55 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.56 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.57 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.58 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.59 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.60 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.61 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.62 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.63 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.64 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.65 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.66 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.67 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.68 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.69 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.70 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.71 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.72 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.73 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.74 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.75 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.76 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.77 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.78 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.79 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.80 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.81 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.82 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.83 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.84 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.85 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.86 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.87 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.88 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.89 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.90 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.91 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.92 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.93 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.94 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.95 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.96 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.97 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.98 192.168.1.0 0.0.0.255 access-list 101 permit ip host 192.168.1.99 192.168.1.0 0.0.0.255 access-list 101 permit udp any any eq non500-isakmp access-list 101 permit udp any any eq isakmp access-list 101 permit esp any any access-list 101 permit ahp any any access-list 101 permit udp any eq bootps any eq bootpc access-list 101 deny ip 192.168.1.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip any any access-list 102 remark SDM_ACL Category=4 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 103 remark SDM_ACL Category=2 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.50 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.51 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.52 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.53 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.54 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.55 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.56 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.57 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.58 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.59 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.60 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.61 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.62 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.63 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.64 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.65 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.66 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.67 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.68 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.69 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.70 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.71 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.72 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.73 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.74 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.75 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.76 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.77 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.78 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.79 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.80 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.81 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.82 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.83 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.84 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.85 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.86 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.87 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.88 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.89 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.90 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.91 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.92 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.93 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.94 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.95 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.96 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.97 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.98 access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.99 access-list 103 permit ip 192.168.1.0 0.0.0.255 any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 103 ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport preferred all transport output telnet line aux 0 transport preferred all transport output telnet line vty 0 4 transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

Reply to
bestdeals421
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.