cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1348
Views
5
Helpful
15
Replies

NAT and VPN termination on the same ISR 800 Series home router

Lorand
Cisco Employee
Cisco Employee

I have a 891W as a home router with NAT configured on Dialer0, which is receiving a publicly routable IP address:

interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ipv6 address autoconfig
 ipv6 enable
 ppp authentication chap callin
 ppp chap hostname *****
 ppp chap password 0 *****
 ppp ipcp dns accept
 ppp ipcp route default
 crypto map CLIENT
end

I wonder if I can exclude some ports from the NAT, and host services on the router's public address, like SSH, and a VPN headend. In fact, if I can get the VPN going, I don't need anything else (hence the crypto map CLIENT in the config).

 

Here are some of the NAT rules:

ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.3 5001 interface Dialer0 5001
15 Replies 15

Richard Burts
Hall of Fame
Hall of Fame

We have limited details to work with. And it is not clear whether the vpn you reference would be a site to site vpn or a Remote Access vpn. So our answers must begin with generalities. In general it should be possible to configure access list 100 (used to control your nat) so that it denies the traffic of your vpn while permitting other traffic. This should allow you to operate vpn on this router. If you provide more detail we might be able to provide better suggestions.

 

HTH

 

Rick

HTH

Rick

Hi Richard, my goal is to connect to my home network when I'm not at home from my Linux and Mac laptops, using the vpnc client with NetworkManager on Linux and the built-in IPsec client on the Mac. My home router's WAN interface is not accessible from the outside, because NAT is activated. I can do port forwarding to internal hosts with rules like the one I included in the example above. However, packets going to the WAN interface, which don't have an associated rule or established state, will be dropped. In order to connect with a VPN client, I need to access UDP port 4500 on the WAN interface. So I need a rule to tell the router that I want that traffic excepted from NAT. At least, that's what I think I need to make the VPN connect, because right now I get connection timed out.

Hello
Sounds like NAT -T is required, does you router support ipsec-passthrough - what software are you running?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I have 15.7(3)M2.

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

You had shared a piece of less information. What is your goal? Do you want that someone from the inside will not allow accessing any SSH or telnet to any Public Server? Or do you want to block SSH/Telnet to your router from the public internet? 

 

As you said that you are using VPN and I am assuming that "crypto map CLIENT" is a part of VPN configuration. Reset we need to verify your configuration. 

 

ip nat inside source list 100 interface Dialer0 overload

This command is showing you had configured NAT overload and source allowed subnet/address & destinations address are mentioned in the ACL 100.

ip nat inside source static tcp 192.168.1.3 5001 interface Dialer0 5001

This is Port forwarding NAT rule. If you will try to access a service which is hosted on your server 192.168.1.3 (port 5001) will accessible from the WAN with port number 5001.

 

Regards,

Deepak Kumar

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi Deepak, my problem is that I can't access any of the router's own services from the outside, because NAT is active. My goal is to enable VPN connectivity using vpnc or the Mac built-in IPsec client, but the connection times out, because UDP port 4500 is not reachable on the router. I assume that's because NAT is activated.

Hi,

Please share the router running configuration.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

I'd prefer not to share the whole router configuration. I think I shared what's more relevant. Let me know if you need more details. My question is: considering that NAT is enabled on the WAN interface, can I access services on that same WAN interface?

Hello

You could try the following:
ip nat inside source static udp 192.168.1.3 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.1.3 500 interface Dialer0 500
ip nat inside source static esp 192.168.1.3 interface Dialer0


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Yes, but I don't want to terminate the VPN on the internal server 192.168.1.3, I want to terminate it on the router itself.

Thanks for the clarification. You are using access list 100 to control address translation but have not shown us what is in that acl. It should be possible to insert entries in the acl to deny the protocols and ports used by the vpn clients (enter them before the permit statements for other traffic) so that the router will not attempt to translate that traffic. This should allow the vpn to work along with the address translation.

 

HTH

 

Rick

HTH

Rick

Thanks for the reply. The access list contains two internal networks:

access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.127.0 0.0.0.255 any

But I thought that using that access list in an "ip nat inside source" directive will not help on the outside, since the source of packets for the VPN is not in this range anyway, and is not destined to this range either...

This translation is using both outside and inside, even though the command only specifies inside. And it and the static nat are the only translations you have configured. So that is where you need to make changes. Give my suggestion a try and let us know if the behavior changes.

 

HTH

 

Rick

HTH

Rick

Hello


@Lorand wrote:

Yes, but I don't want to terminate the VPN on the internal server 192.168.1.3, I want to terminate it on the router itself.


That is my assumption I used the ip you was using as an example ONLY

 

I don’t won’t to confuse you into anything other than helping you solve your problem -hence my suggestion regards NAT-Traversal

However ricks suggestion is plausible as far as I can see so would to go with ricks suggestion and post the results.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco