NAT and VPN

I'm reposting this one, I've been looking for an answer and tried a number of things but still no go. I'm really hoping someone can help me. Thanks

I'm using a router with the IOS Firewall and its a pretty basic configuration providing VPN access to Win XP PCs with Cisco's VPN client and a couple web servers behind the firewall/router.

The problem shows up when the VPN client tries to connect (using the internal address) to a web server that also has a static translation. It looks as if the server isn't responding. This occurs on ssl and smtp as well. The common item is the static translation in the router.

I did a little looking with Ethereal and the server is responding over the tunnel but the source address is the outside, public, address of the server. The original request is to the internal address. Like this; Source destination

192.168.2.2 192.168.1.10 64.123.42.10 192.168.2.2

I'm betting I'm missing something simple. I've included the significant portions of the config, what did I miss?

The use of a route-map in the NAT was one of my attempts to fix the problem, it was list 105. The IOS is 12.3(20), and the interface ACLs were removed for testing.

Thanks RC

aaa new-model aaa authentication login useraaa local aaa authorization network groupaaa local aaa session-id common

ip subnet-zero no ip cef

crypto isakmp policy 3 encr 3des authentication pre-share group 2

crypto isakmp client configuration group VPNclient key xxxxxxxxxxx dns 192.168.1.xxx domain xxxxxxx.xxx pool vpnpool acl 120

crypto ipsec transform-set set1 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set set1

crypto map clientmap client authentication list useraaa crypto map clientmap isakmp authorization list groupaaa crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0/0 description Internet ip address xxx.xxx.xxx.5 255.255.255.248 ip nat outside ip inspect Ethernet_0_0 in full-duplex crypto map clientmap

interface Ethernet0/1 description LAN ip address 192.168.1.1 255.255.255.0 ip nat inside ip inspect Ethernet_0_1 in full-duplex

ip local pool vpnpool 192.168.2.1 192.168.2.2 ip nat inside source route-map nonat interface Ethernet0/0 overload ip nat inside source static tcp 192.168.1.8 443 xxx.xxx.xxx.6 443 extendable ip nat inside source static tcp 192.168.1.8 25 xxx.xxx.xxx.6 25 extendable ip nat inside source static tcp 192.168.1.7 443 xxx.xxx.xxx.7 443 extendable ip nat inside source static tcp 192.168.1.7 80 xxx.xxx.xxx.7 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.4

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 105 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10 match ip address 105

Reply to
RC
Loading thread data ...

What about...

access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 105 permit ip any 192.168.1.0 0.0.0.255

Don't nat if the source is 192.168.2.0/24, otherwise nat.

Reply to
Joe Beasley

Are you runnig UDP/4500 encapsulation, aka IPSEC NAT Traversal ? Check in the GUI/Stats in the CCVPN ... Transperent tunnling I think it-s called.

HTH Martin

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.