Re: Bypass the IP NAT for VPN Users - Page 3

abdussamedpkpk · ‎02-08-2010

Hi,

I have configured ip nat on Cisco 6153 switch and it is working fine. But I need to bypass the ip nat configuration for VPN users.

eg: 192.168.1.1 is NATed to a global IP address, the ip nat working fine but the same server I need to connect for the VPN users also.

Lei Tian · ‎03-03-2010

Hi,

No, I never said put eq 829 at the end of the ACL.

You can change the ACL to

"ip access-list extended PBR

permit tcp host 10.10.10.10 eq 829 10.1.1.0 0.0.0.255"

if you want.

thanks,

Lei Tian

abdussamedpkpk · ‎03-03-2010

Again the same result

Mar 3 19:28:35.510 KSA: IP: s=10.10.10.10 (Vlan110), d=10.1.1.80, len 52, FIB policy rejected(no match) - normal forwarding
Mar 3 19:28:35.514 KSA: IP: s=10.10.10.10 (Vlan110), d=10.1.1.80 (Vlan100), len 52, policy rejected -- normal forwarding
Mar 3 19:28:38.562 KSA: IP: s=10.10.10.10 (Vlan110), d=10.1.1.80, len 52, FIB policy rejected(no match) - normal forwarding

Lei Tian · ‎03-03-2010

Hi,

Can you do a "show ip access PBR"

thanks,

Lei Tian

abdussamedpkpk · ‎03-03-2010

Now the debug information is giving some positive result.Please see the attachment but still I can't reach the Server port.

Lei Tian · ‎03-03-2010

Ok, now PBR is working.

Can you turn on wireshark on your VPN user site, and initial the TCP connection to server 10.10.10.10 port 829. I want see if the client gets SYN ACK back.

thanks,

Lei Tian

Just want to double check, the positive debug output was when you initial TCP connection to server 829 not just ping, correct?

abdussamedpkpk · ‎03-03-2010

I was trying to Telnet to the server port and it is possible if I remove the NAT. The filtered output of wireshark is like mentioned below.

16 4.395941 10.1.1.82 10.10.10.10 tcp 56499 > 829 [syn] seq=0 Len0 MSS=1260 WS=8
19 7.403293 10.1.1.82 10.10.10.10 tcp 56499 > 829 [syn] seq=0 Len0 MSS=1260 WS=8
24 13.401870 10.1.1.82 10.10.10.10 tcp 56499 > 829 [syn] seq=0 Len0 MSS=1260

Lei Tian · ‎03-03-2010

So, if you remove the static NAT, the VPN user is able to access the server, correct? Which means traffic source from 10.10.10.10 to vpn user subnet is not blocked.

As you can see there is no SYN ACK received on the VPN user side, so the traffic must be dropped somewhere. I remember on some version code, loopback interface has discard adjacency. If that is case, then the return traffic is dropped at loopback 2.

You can try "no ip route-cache" under loopback 2, see if that can help.

thanks,

Lei Tian

abdussamedpkpk · ‎03-03-2010

This is what I need to solve.The traffic is not blocking, because of the NATing I can not access this port for VPN.So that I need to bypass the NATing for the VPN users. Also I can reach the port if I am directly connecting any PC to the Switch directly. I did no ip route-cach command but there is no progress.

Thanks

Abdussamad

Lei Tian · ‎03-03-2010

Understand your requirement. This is exactly what we were trying to solve. However if loopback interface has discard adjacency then it will drop all the traffic sending to that interface.If that is the case, then the solution of using loopback bypass NAT will not work.

So you have to either upgrade the code to the version that support route-map on static NAT; or use a seprate vlan interface for VPN user, and do not configure ip nat outside on that interface.

HTH,

Lei Tian