07-20-2019 11:51 AM
I have to open port 1149 to be able to access OpenVPN, but I am not having success with the NAT configuration I made.
by the dTCP port checkert, is giving time out, in the output of the show ip nat translate is showing that is translating.
attached has the photos and the configuration of the router
the ip of the OpenVPN server is 10.10.10.1 and the ip of the wan is 200.216.228.48
If anyone can help me, thank you
----------------------------------------------------
interface FastEthernet0/0
ip address 192.168.5.254 255.255.255.0 secondary
ip address 200.149.100.81 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1200
encapsulation dot1Q 1200
ip address 200.216.228.49 255.255.255.252
ip nat outside
ip virtual-reassembly in
crypto map clientmap
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/1/0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
shutdown
crypto map clientmap
!
ip local pool ippool 10.1.1.10 10.1.1.200
ip local pool OpenVPN 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static tcp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
---------------------------------------------------------------------------------------------------
07-20-2019 12:25 PM
Hello,
as far as I recall, Open VPN uses either UDP port 1194 or TCP port 443. Try and change the NAT statement and the access list:
ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static udp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit udp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
07-20-2019 12:29 PM
Thanks for the answer.
I made the changes, but still not working
07-20-2019 12:36 PM
07-20-2019 01:06 PM
Hello,
what if you NAT/allow both the TCP and the UDP ports ?
ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static udp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat inside source static tcp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit udp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit tcp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
07-20-2019 01:22 PM
I did just that before
07-20-2019 01:14 PM
Hello,
it used to be that Cisco IOS did not support OpenVPN at all,and that you had to use a proprietary client such as AnyConnect, not sure if that is still the case...
07-20-2019 01:28 PM
Let me explain the scenario, maybe it will help us.
This router already has a VPN on it, this VPN works normally, it is accessed with the CISCO VPN client and AnyConnect.
The OpenVPN server is totally separate, I just need to allow the port to the server 10.10.10.1.
Does the configuration of fa0/ 1.1200 seem right to you? "ip nat outside"
07-20-2019 01:39 PM
Hello,
sorry, my bad, I thought you wanted to use the IOS router as VPN server.
Either way, what access list is matching your crypto map 'crypto map clientmap' ?
Post the full running configif possible...
07-20-2019 01:45 PM
redundancy
!
!
crypto isakmp client configuration group nation
key xxxxx
dns 200.255.255.70
domain nxx.com
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.5.254 255.255.255.0 secondary
ip address 200.149.156.17 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0
ip address 192.168.5.254 255.255.255.0 secondary
ip address 200.149.100.81 255.255.255.248
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1200
encapsulation dot1Q 1200
ip address 200.216.228.49 255.255.255.252
ip nat outside
ip virtual-reassembly in
crypto map clientmap
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/1/0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation ppp
shutdown
crypto map clientmap
!
ip local pool ippool 10.1.1.10 10.1.1.200
ip local pool OpenVPN 10.10.10.1 10.10.10.254
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
!
ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
ip nat inside source static tcp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat inside source static udp 10.10.10.1 1194 interface FastEthernet0/1.1200 1194
ip nat outside source static 200.149.100.81 192.168.5.1
ip route 0.0.0.0 0.0.0.0 200.216.228.50
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp any any
access-list 101 permit udp 10.10.10.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 1194
access-list 110 deny ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
!
!
!
!
control-plane
!
end
07-20-2019 01:57 PM
"crypto map clientmap" it is the VPN group configured on the router
07-20-2019 02:30 PM
Hello,
where is the OpenVPN server with IP address 10.10.10.1 ? Sorry for the confusion, I cannot figure out what the local pool OpenVPN is for if you don't use the router as the VPN server for the OpenVPN clients...
Maybe you can draw this out and post a schematic drawing, so we know what is where...
07-20-2019 03:12 PM
The server 10.10.10.1 is behind the interface fa 0/0
it is on the same computer as 192.168.5.245
Yes, it also has a public ip
07-21-2019 12:40 AM
Hello,
ip nat pool internet 200.149.100.81 200.149.80.22 netmask 255.255.255.248
ip nat inside source list 110 pool internet overload
You are using a nat pool that consists of addresses that are part of the subnet that is assigned to the inside. Do you have Internet access at all ?
07-21-2019 02:16 AM
openVPN is inside a windows server 2008 server.
the interface fa0/0 192.168.5.254 connects to windows server 2008 192.168.5.245.
ip 10.10.10.1 is automatically generated by the OpenVPN server and assigned to a windows server interface.
when I try to ping from inside the windows server with the origin of the interface that is configured ip 192.168.5.245, everything works normal, I have normal access.
When I ping the source ip 10.10.10.1, it gives a general failure error in PING, I added a static route pointing to 10.10.10.1 for ip 192.168.5.245 and on the router I created a static route pointing to the network 10.10.10.0 / 24 for ip 192.168.5.254 but the ping error continues the same "general transmission failure", and the router I also can not get ip 10.10.10.1
what do you think?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide