Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1937
Views
0
Helpful
11
Replies

Cisco 800 series router NAT issues with VPN

jacobdixon
Level 1
Level 1

‎02-02-2013 05:33 PM - edited ‎03-04-2019 06:55 PM

I'm having an issue with getting traffic to pass through a encrypted vpn tunnel when a server has been configured for NAT for external access. I'm using a Cisco 861w running version 12.4(22r).

I understand that I need to configure the NAT a different way but i'm not exactly sure how using Cisco Configuration Professional 2.6 (not very good at command line).

I configured the NAT for external access under the ACL -> NAT section. From what I understand I need to create a dynamic NAT and using a routemap? When I try to create a dynamic NAT it only gives me the option for adding a new or existing ACL to it.

I was hoping for some guidance on achieving this with CCP.

Here is the config for reference:

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname fw
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical

!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2415746705
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2415746705
revocation-check none
rsakeypair TP-self-signed-2415746705
!
!
crypto pki certificate chain TP-self-signed-2415746705
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32343135 37343637 3035301E 170D3036 30313032 31323030
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34313537
  34363730 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B08D 3203AC4B 0165D1B4 D24BC13C E56C6766 E3DC4CF1 2E3E1892 47EE2C57
  32CFD397 0C7D24ED D1DC8D66 D9E5FBE1 D974FE15 A5519BE2 D72BF523 9B42820C
  05B0A1B3 9C267401 D6AC9613 B4932FDB F9456972 1FBD54CE F96D6AD5 8F31FC68
  91227640 5296E350 A46FCDC2 7D8F2DED A4D24208 7DF2388D 91541AA2 EDC6AB95
  41570203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 149700B3 53076B43 5003C3ED 1798B052 DDC6FB7D
  FD301D06 03551D0E 04160414 9700B353 076B4350 03C3ED17 98B052DD C6FB7DFD
  300D0609 2A864886 F70D0101 04050003 81810059 55CCA9FA FD4F4551 763FF1D7
  62180239 9FFB9D06 85EF8399 FDE3FE08 9CF265AF 59B55C09 2BEA75C4 A26D21D3
  13D7F0B0 6358CD38 8987DDC3 85BF7F5A 1A05BA8D 77E3B993 EAD89BCA C8717A49
  2648DFB8 C10DAD8C C0F586D6 2EA26BFC 16BB0596 3324DCBB 8664C506 1D781172
  F1CCC954 21A852A9 ADB60A68 99E02D39 DAC867
        quit
no ip source-route
!
!
ip port-map user-protocol--2 port tcp 587
ip port-map user-protocol--3 port tcp 3389
ip port-map user-protocol--1 port tcp 4125
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name **********.com
!
!
license udi pid CISCO861W-GN-A-K9 sn FTX164081R5
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 111
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 108
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 107
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 106
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 105
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all sdm-nat-imap-1
match access-group 104
match protocol imap
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 110
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all sdm-nat-pop3-1
match access-group 103
match protocol pop3
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-pop3-1
  inspect
class type inspect sdm-nat-imap-1
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-nat-user-protocol--2-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-user-protocol--3-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class class-default
  drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
  pass
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********* address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 109
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address ************ 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 10.0.0.250 25 interface FastEthernet4 25
ip nat inside source static tcp 10.0.0.250 443 interface FastEthernet4 443
ip nat inside source static tcp 10.0.0.250 110 interface FastEthernet4 110
ip nat inside source static tcp 10.0.0.250 143 interface FastEthernet4 143
ip nat inside source static tcp 10.0.0.250 4125 interface FastEthernet4 4125
ip nat inside source static tcp 10.0.0.250 587 interface FastEthernet4 587
ip nat inside source static tcp 10.0.0.251 3389 interface FastEthernet4 3390
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 ****************
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip *********** 0.0.0.7 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.0.250
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.0.0.250
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.0.0.250
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.0.0.250
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.0.0.250
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 10.0.0.250
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 10.0.0.250
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 10.0.0.251
access-list 109 remark CCP_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 remark CCP_ACL Category=128
access-list 110 permit ip any any
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip 192.168.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 112 remark CCP_ACL Category=2
access-list 112 remark IPSec Rule
access-list 112 deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 112 permit ip 10.0.0.0 0.0.0.255 any
no cdp run

route-map SDM_RMAP_1 permit 1
match ip address 112
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Labels:
0 Helpful
11 Replies 11

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-02-2013 11:11 PM

Hello Jacob,

I can definetly help you with this but via CLI,

Can you explain a little bit further the scenario,

What is the Private ip address of the server that you will be performing the NAT,

Do you want to nat it to a public ip address for the outside internet users??

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jacobdixon
Level 1
Level 1
In response to Julio Carvajal

‎02-03-2013 07:27 AM

Basically the only server that I really need opened to the outside is server 10.0.0.250.

Now the user that is on the VPN has a 192.168.2.0 network at his house. The problem is I opened port 3389, 80, 443 to the outside world and this causes the user on the VPN from not being able to RDP to 10.0.0.250 or open a website on port 80 and 443.

From what I understand I need to create a dynamic NAT using a routemap and deny his subnet from being nat'd. Just not 100% sure the commands to do this.

0 Helpful

Syed Siraj Uddin
Level 1
Level 1

‎02-03-2013 04:10 AM

Hi,

I think the below is what you are looking for,

!
ip access-list extended NAT-Traffic
deny ip host 10.0.0.250 192.168.2.0 0.0.0.255
deny ip host 10.0.0.251 191.168.2.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
!

!
route-map POLICY-NAT 10
match ip address NAT-Traffic
!

ip nat inside source static tcp 10.0.0.250 25 interface FastEthernet4 25 route-map POLICY-NAT extendable
ip nat inside source static tcp 10.0.0.250 443 interface FastEthernet4 443 route-map POLICY-NAT extendable
ip nat inside source static tcp 10.0.0.250 110 interface FastEthernet4 110 route-map POLICY-NAT extendable
ip nat inside source static tcp 10.0.0.250 143 interface FastEthernet4 143 route-map POLICY-NAT extendable
ip nat inside source static tcp 10.0.0.250 4125 interface FastEthernet4 4125 route-map POLICY-NAT extendable
ip nat inside source static tcp 10.0.0.250 587 interface FastEthernet4 587 route-map POLICY-NAT extendable
ip nat inside source static tcp 10.0.0.251 3389 interface FastEthernet4 3390 route-map POLICY-NAT extendable

HTH,

0 Helpful

jacobdixon
Level 1
Level 1
In response to Syed Siraj Uddin

‎02-03-2013 07:28 AM

Ahh now that looks like it is what I read that I needed to do. Let me try that tomorrow morning (so I can make sure he is at the router in case it doesn't work he can reset it).

I will post an update tomorrow morning but that looks like it will work.

Thank you both for the quick responses and assistance.. like I said I will post again to tell you that it solved the problem I am having.

0 Helpful

jacobdixon
Level 1
Level 1
In response to Syed Siraj Uddin

‎02-03-2013 07:37 AM

It appears the version that we are running (12.4) does not support those commands. It stops at this:

ip nat inside source static tcp 10.0.0.251 3389 interface FastEthernet4 3390

There is not an available route-map command after that. There is a command that looks like this but not sure how to use it:

      

ip nat inside source route-map POLICY-NAT interface FastEthernet4 overload??

0 Helpful

Syed Siraj Uddin
Level 1
Level 1
In response to jacobdixon

‎02-03-2013 11:33 PM

check with the below,

ip nat inside source static 10.0.0.251 interface FastEthernet4 route-map POLICY-NAT extendable

0 Helpful

jacobdixon
Level 1
Level 1
In response to Syed Siraj Uddin

‎02-04-2013 06:57 PM

The available commands stop after FastEthernet4. I think the command you provided may be for a newer version?

Sent from Cisco Technical Support iPhone App

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to jacobdixon

‎02-04-2013 04:44 AM

Hi,

will this server be also available from non VPN user by its public address ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

jacobdixon
Level 1
Level 1
In response to cadet alain

‎02-04-2013 06:56 PM

Yes it needs to be available to outside as well

Sent from Cisco Technical Support iPhone App

0 Helpful

jacobdixon
Level 1
Level 1

‎02-11-2013 01:34 PM

Anyone have another suggestion on the command to run?

Sent from Cisco Technical Support iPhone App

0 Helpful

jacobdixon
Level 1
Level 1

‎02-11-2013 02:00 PM

The image file is

C860-universalk9-Mz.150-1.m8.bin

So I guess the version is actually 15.0.1 M8

Sorry about that

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card