02-08-2010 12:07 AM - edited 03-04-2019 07:26 AM
Hi,
I have configured ip nat on Cisco 6153 switch and it is working fine. But I need to bypass the ip nat configuration for VPN users.
eg: 192.168.1.1 is NATed to a global IP address, the ip nat working fine but the same server I need to connect for the VPN users also.
03-03-2010 08:33 AM
Hi,
No, I never said put eq 829 at the end of the ACL.
You can change the ACL to
"ip access-list extended PBR
permit tcp host 10.10.10.10 eq 829 10.1.1.0 0.0.0.255"
if you want.
thanks,
Lei Tian
03-03-2010 08:55 AM
Again the same result
Mar 3 19:28:35.510 KSA: IP: s=10.10.10.10 (Vlan110), d=10.1.1.80, len 52, FIB policy rejected(no match) - normal forwarding
Mar 3 19:28:35.514 KSA: IP: s=10.10.10.10 (Vlan110), d=10.1.1.80 (Vlan100), len 52, policy rejected -- normal forwarding
Mar 3 19:28:38.562 KSA: IP: s=10.10.10.10 (Vlan110), d=10.1.1.80, len 52, FIB policy rejected(no match) - normal forwarding
03-03-2010 09:00 AM
Hi,
Can you do a "show ip access PBR"
thanks,
Lei Tian
03-03-2010 09:17 AM
03-03-2010 09:44 AM
Ok, now PBR is working.
Can you turn on wireshark on your VPN user site, and initial the TCP connection to server 10.10.10.10 port 829. I want see if the client gets SYN ACK back.
thanks,
Lei Tian
Just want to double check, the positive debug output was when you initial TCP connection to server 829 not just ping, correct?
03-03-2010 10:32 AM
I was trying to Telnet to the server port and it is possible if I remove the NAT. The filtered output of wireshark is like mentioned below.
16 4.395941 10.1.1.82 10.10.10.10 tcp 56499 > 829 [syn] seq=0 Len0 MSS=1260 WS=8
19 7.403293 10.1.1.82 10.10.10.10 tcp 56499 > 829 [syn] seq=0 Len0 MSS=1260 WS=8
24 13.401870 10.1.1.82 10.10.10.10 tcp 56499 > 829 [syn] seq=0 Len0 MSS=1260
03-03-2010 11:24 AM
So, if you remove the static NAT, the VPN user is able to access the server, correct? Which means traffic source from 10.10.10.10 to vpn user subnet is not blocked.
As you can see there is no SYN ACK received on the VPN user side, so the traffic must be dropped somewhere. I remember on some version code, loopback interface has discard adjacency. If that is case, then the return traffic is dropped at loopback 2.
You can try "no ip route-cache" under loopback 2, see if that can help.
thanks,
Lei Tian
03-03-2010 11:37 AM
This is what I need to solve.The traffic is not blocking, because of the NATing I can not access this port for VPN.So that I need to bypass the NATing for the VPN users. Also I can reach the port if I am directly connecting any PC to the Switch directly. I did no ip route-cach command but there is no progress.
Thanks
Abdussamad
03-03-2010 11:55 AM
Understand your requirement. This is exactly what we were trying to solve. However if loopback interface has discard adjacency then it will drop all the traffic sending to that interface.If that is the case, then the solution of using loopback bypass NAT will not work.
So you have to either upgrade the code to the version that support route-map on static NAT; or use a seprate vlan interface for VPN user, and do not configure ip nat outside on that interface.
HTH,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide