I'm reposting this one, I've been looking for an answer and tried a number of things but still no go. I'm really hoping someone can help me. Thanks
I'm using a router with the IOS Firewall and its a pretty basic configuration providing VPN access to Win XP PCs with Cisco's VPN client and a couple web servers behind the firewall/router.
The problem shows up when the VPN client tries to connect (using the internal address) to a web server that also has a static translation. It looks as if the server isn't responding. This occurs on ssl and smtp as well. The common item is the static translation in the router.
I did a little looking with Ethereal and the server is responding over the tunnel but the source address is the outside, public, address of the server. The original request is to the internal address. Like this; Source destination
192.168.2.2 192.168.1.10 64.123.42.10 192.168.2.2I'm betting I'm missing something simple. I've included the significant portions of the config, what did I miss?
The use of a route-map in the NAT was one of my attempts to fix the problem, it was list 105. The IOS is 12.3(20), and the interface ACLs were removed for testing.
Thanks RC
aaa new-model aaa authentication login useraaa local aaa authorization network groupaaa local aaa session-id common
ip subnet-zero no ip cef
crypto isakmp policy 3 encr 3des authentication pre-share group 2
crypto isakmp client configuration group VPNclient key xxxxxxxxxxx dns 192.168.1.xxx domain xxxxxxx.xxx pool vpnpool acl 120
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set set1
crypto map clientmap client authentication list useraaa crypto map clientmap isakmp authorization list groupaaa crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Ethernet0/0 description Internet ip address xxx.xxx.xxx.5 255.255.255.248 ip nat outside ip inspect Ethernet_0_0 in full-duplex crypto map clientmap
interface Ethernet0/1 description LAN ip address 192.168.1.1 255.255.255.0 ip nat inside ip inspect Ethernet_0_1 in full-duplex
ip local pool vpnpool 192.168.2.1 192.168.2.2 ip nat inside source route-map nonat interface Ethernet0/0 overload ip nat inside source static tcp 192.168.1.8 443 xxx.xxx.xxx.6 443 extendable ip nat inside source static tcp 192.168.1.8 25 xxx.xxx.xxx.6 25 extendable ip nat inside source static tcp 192.168.1.7 443 xxx.xxx.xxx.7 443 extendable ip nat inside source static tcp 192.168.1.7 80 xxx.xxx.xxx.7 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.4
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10 match ip address 105