Internal hosts cannot access web server on internal ip with NAT in place for external traffic

budweyers · ‎07-24-2014

Hello!

I currently have two offices setup as follows:

Office A internal IP: 192.168.0.0 /24 with Draytek router

Office B internal IP: 192.168.1.0 /24 with Cisco 1941 router

Office B hosts a web server with internal IP: 192.168.1.17

The offices are connected with an IPSEC VPN between the Draytek router at Office A and the Cisco 1941 router at Office B.

The VPN connects through the same interface that is used for static NATing for external traffic to access the web server.

My issue is users at Office A are unable to access services on the web server using its internal IP 192.168.1.17 on the ports being statically NATed. I'm wondering how to resolve this.

My config is as follows and I'm using XXX.XXX.XXX.XXX to represent my public WAN IP.

interface GigabitEthernet0/0

description WAN

ip address XXX.XXX.XXX.XXX SUB.NET.MAS.KKK

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

crypto map VPN

!

interface GigabitEthernet0/1

description LAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1.1

description DATA VLAN1

encapsulation dot1Q 1 native

ip address 192.168.1.253 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

!

ip nat inside source static tcp 192.168.1.17 22 interface GigabitEthernet0/0 22

ip nat inside source static tcp 192.168.1.17 443 interface GigabitEthernet0/0 443

ip nat inside source static tcp 192.168.1.17 80 interface GigabitEthernet0/0 80

ip nat inside source static udp 192.168.1.17 22 interface GigabitEthernet0/0 22

ip nat inside source route-map NoNat interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

!

ip access-list extended NoNat

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

!

route-map NoNat permit 10

match ip address NoNat

saurabh18n · ‎07-24-2014

No route to 192.168.0.0/24 network

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

ip route 192.168.0.0 255.255.255.0 <your Tunnel IP address>

same on the another router also

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

ip route 192.168.1.0 255.255.255.0 <your Tunnel IP address>

budweyers · ‎07-24-2014

I wondered about this but since everything else works through the VPN I was unsure. Thanks for replying so quickly! I will test this tomorrow and let you know!

budweyers · ‎07-24-2014

Unfortunately adding the route made no changes. I am confident it's the static NATs in place that are causing the issue. For a test I set up a static NAT for RDP to another server on the 192.168.1.0 network and immediately I could not remote desktop to it from the 192.168.0.0 network. Once I removed it I had no issues.

saurabh18n · ‎07-24-2014

hope u added it to both side.. and if u are accessing 192.168.1.17 NAT will not be in picture. can u ping 192.168.1.17 from another subnet ?

budweyers · ‎07-24-2014

Hey so to provide an update. I modified my NAT statement for RDP and have successfully been able to access the server internally and externally.

The changes I made are as follows:

Original:

ip nat inside source static udp 192.168.1.XX 3389 interface GigabitEthernet0/0 3389

Updated:

ip nat inside source static tcp 192.168.1.XX 3389 XXX.XXX.XXX.XXX 3389 route-map NoNat extendable

Thank you again for taking the time to help me with this issue!

Cheers

budweyers · ‎07-24-2014

.