outiside address accessible from VPN

darkopopovic · ‎09-26-2011

I have a little problem, and I haven't find the solution yet. Here is the scenario.

I have main VPN site and other 20 VPN sites that are terminating on main site. I have one server that is in private LAN of main site and is static NATED to one external address( 1-1 NAT with static, no ports involved). Because I don't have split DNS zones for all my domains (and would like to stay that way, don't ask :-) ), I would like dns names that are resolving to my external address (that is static mapped to internal address on main site, the same one mentioned) be accessbile through that external address. It is working (and I am not sure how :-), I thought that I need some more extra config for this to work ) from main internal network. Just to point out once again, I only have one static for that server mapping external to internal address and also have same-security-traffice permit inter&intra interface. DNS rewrite is not an option in this scenario. For internal LAN on the main site and also for all other VPN sites, I have proper nat and global statements.

Also all VPN sites are full tunneled to the main site and are accessing internet through main VPN site so there is proper nat (outside) and global (outside) lines for all the sites, every access to non-local ip address is routed through main tunnel and nated if going on Internet. I can see everything cleary in conn and xlate tables.

I have checked conn table, internal LAN addresses on main site are PATed when accessing this external address, just like any other on internet, but it is not working from other VPN sites, I can see any connection in conn table.

Thanks,

Milos

mirober2 · ‎10-01-2011

Hi Milos,

I'm not sure I follow your explanation. What piece is actually failing, the DNS resolution or connections to the Internet from remote sites going through the main site?

A simple topology diagram and sanitized config excerpts may help us understand what's failing and point you in the right direction.

-Mike

darkopopovic · ‎10-03-2011

Hi Mirober, thanks for replying :-). I will start again, just to make things clear. I will also attach a picture of how sites are connected. I swapped internal/external addresses for fake ones, but that will not change things.

1. There is one main site and around 15 smaller sites. All traffic from smaller sites is tunneled to the main site. NAT-CONTROL is off on small sites and there are no nat rules on it, so essentially, all the traffic is captured by crypto map and send to main site. On main site there are multiple nat/global statements for all the sites, so clients can be properly PATED for accessing internet. As in picture, we have whole C class delegated to us.

2. On main site, there are multiple servers that are port forwarded or static mapped. One of them is interesting in this problem, internal address is 10.0.1.100 that is static mapped to public address 1.1.1.100. I have permit same security traffice intra & inter interface.

Everything is working fine in this scenario. What is wrong is this:

We have a server that is hosting our websites and that server is located in internal network on the main site (10.0.1.100). We have multiple DNS zones that are not splitted and when I try to access www.example.cz, www.example.ba, www.example.ee etc, DNS will give me back public address 1.1.1.100 because DNS zones are not splitted and it must stay that way (don't ask me why please :-) ). That public address, 1.1.1.100 is static mapped to internal server 10.0.1.100. From internal network of the main site, this is working and I see websites in browser when I type www... (addresses are resolved to 1.1.1.100), but it is NOT WORKING from smaller sites (from their internal networks), I got proper DNS resolution to 1.1.1.100 but I can't connect to it. I hope I made it more clear this time :-).

Thanks in advance,

Milos