03-26-2019 12:03 PM
I have a 891W as a home router with NAT configured on Dialer0, which is receiving a publicly routable IP address:
interface Dialer0 mtu 1492 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ipv6 address autoconfig ipv6 enable ppp authentication chap callin ppp chap hostname ***** ppp chap password 0 ***** ppp ipcp dns accept ppp ipcp route default crypto map CLIENT end
I wonder if I can exclude some ports from the NAT, and host services on the router's public address, like SSH, and a VPN headend. In fact, if I can get the VPN going, I don't need anything else (hence the crypto map CLIENT in the config).
Here are some of the NAT rules:
ip nat inside source list 100 interface Dialer0 overload ip nat inside source static tcp 192.168.1.3 5001 interface Dialer0 5001
03-26-2019 02:14 PM
We have limited details to work with. And it is not clear whether the vpn you reference would be a site to site vpn or a Remote Access vpn. So our answers must begin with generalities. In general it should be possible to configure access list 100 (used to control your nat) so that it denies the traffic of your vpn while permitting other traffic. This should allow you to operate vpn on this router. If you provide more detail we might be able to provide better suggestions.
HTH
Rick
03-27-2019 01:52 AM
Hi Richard, my goal is to connect to my home network when I'm not at home from my Linux and Mac laptops, using the vpnc client with NetworkManager on Linux and the built-in IPsec client on the Mac. My home router's WAN interface is not accessible from the outside, because NAT is activated. I can do port forwarding to internal hosts with rules like the one I included in the example above. However, packets going to the WAN interface, which don't have an associated rule or established state, will be dropped. In order to connect with a VPN client, I need to access UDP port 4500 on the WAN interface. So I need a rule to tell the router that I want that traffic excepted from NAT. At least, that's what I think I need to make the VPN connect, because right now I get connection timed out.
03-27-2019 03:11 AM - edited 03-27-2019 03:12 AM
Hello
Sounds like NAT -T is required, does you router support ipsec-passthrough - what software are you running?
03-27-2019 03:15 AM
I have 15.7(3)M2.
03-26-2019 08:03 PM
Hi,
You had shared a piece of less information. What is your goal? Do you want that someone from the inside will not allow accessing any SSH or telnet to any Public Server? Or do you want to block SSH/Telnet to your router from the public internet?
As you said that you are using VPN and I am assuming that "crypto map CLIENT" is a part of VPN configuration. Reset we need to verify your configuration.
ip nat inside source list 100 interface Dialer0 overload
This command is showing you had configured NAT overload and source allowed subnet/address & destinations address are mentioned in the ACL 100.
ip nat inside source static tcp 192.168.1.3 5001 interface Dialer0 5001
This is Port forwarding NAT rule. If you will try to access a service which is hosted on your server 192.168.1.3 (port 5001) will accessible from the WAN with port number 5001.
Regards,
Deepak Kumar
03-27-2019 01:55 AM
Hi Deepak, my problem is that I can't access any of the router's own services from the outside, because NAT is active. My goal is to enable VPN connectivity using vpnc or the Mac built-in IPsec client, but the connection times out, because UDP port 4500 is not reachable on the router. I assume that's because NAT is activated.
03-27-2019 02:29 AM
Hi,
Please share the router running configuration.
Regards,
Deepak Kumar
03-27-2019 03:08 AM
I'd prefer not to share the whole router configuration. I think I shared what's more relevant. Let me know if you need more details. My question is: considering that NAT is enabled on the WAN interface, can I access services on that same WAN interface?
03-27-2019 03:34 AM
Hello
You could try the following:
ip nat inside source static udp 192.168.1.3 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.1.3 500 interface Dialer0 500
ip nat inside source static esp 192.168.1.3 interface Dialer0
03-27-2019 04:28 AM
Yes, but I don't want to terminate the VPN on the internal server 192.168.1.3, I want to terminate it on the router itself.
03-27-2019 05:48 AM
Thanks for the clarification. You are using access list 100 to control address translation but have not shown us what is in that acl. It should be possible to insert entries in the acl to deny the protocols and ports used by the vpn clients (enter them before the permit statements for other traffic) so that the router will not attempt to translate that traffic. This should allow the vpn to work along with the address translation.
HTH
Rick
03-27-2019 06:07 AM
Thanks for the reply. The access list contains two internal networks:
access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 100 permit ip 192.168.127.0 0.0.0.255 any
But I thought that using that access list in an "ip nat inside source" directive will not help on the outside, since the source of packets for the VPN is not in this range anyway, and is not destined to this range either...
03-27-2019 06:12 AM
This translation is using both outside and inside, even though the command only specifies inside. And it and the static nat are the only translations you have configured. So that is where you need to make changes. Give my suggestion a try and let us know if the behavior changes.
HTH
Rick
03-27-2019 01:25 PM
Hello
@Lorand wrote:
Yes, but I don't want to terminate the VPN on the internal server 192.168.1.3, I want to terminate it on the router itself.
That is my assumption I used the ip you was using as an example ONLY
I don’t won’t to confuse you into anything other than helping you solve your problem -hence my suggestion regards NAT-Traversal
However ricks suggestion is plausible as far as I can see so would to go with ricks suggestion and post the results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide