Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
3
Replies

Remote vpn users can not access webserver locally

teymur azimov
Level 1
Level 1

‎09-15-2011 04:17 AM - edited ‎03-04-2019 01:37 PM

Hi Dears.

I configurated ipsec remote vpn at catalyst 6500.

192.168.14.0/24-- my servers are assigned this subnet

vpn user:10.10.10.0/24

192.168.10.229  ----  webserver ip address

ip access-list extended NAT

deny   ip 192.168.14.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.14.0 0.0.0.255 any

ip nat inside source list NAT pool Internet overload

ok this normal configuration and when i connect to ipsec vpn the connection is ok.

i have one webserver and i do static nat translation:

ip nat inside source static tcp 192.168.14.229 8881 79.x.x.x 80 extendable

ip nat inside source static tcp 192.168.14.229 8881 79.x.x.x 8881

the static nat is working and  any user can access from outside to our site.

my problem is:

when i connected vpn,  i want to access webserver, open explorer and type 192.168.14.229:8881

but i can not access.

i do not want to use split tunnel. how i solve this issue?

please help me.

i can not access we

Labels:
0 Helpful
3 Replies 3

Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-15-2011 04:59 AM

The problem here the server get nated before being encapsulated into the VPN tunnel

What you can do is policy static nat as per bellow

Ip access-list 100 permit ip 192.168.14.0 0.0.0.255 10.10.10.0 0.0.0.255

Route-map nat deny 10

Match ip address 100

Route-map nat permit 20

Ip nat inside source static tcp 192.168.14.229 8881 71.x.x.x 8881 route-map nat

Make sure you clear the current nating translation table after you add this command

Hope this help

If helpful rate

0 Helpful

teymur azimov
Level 1
Level 1
In response to Marwan ALshawi

‎09-15-2011 05:18 AM

yes i aggree with you.i know l must to do policy nat i do not know how write it so you can help me.

1.Ip access-list 100 permit ip 192.168.14.0 0.0.0.255 10.10.10.0 0.0.0.255

why this access list we used permit  command not deny command??

2. Route-map nat deny 10

   Match ip address 100

we write the name of route map deny but at access-list we use permit command ??

3. Route-map nat permit 20

where we used this route map??

thanks

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to teymur azimov

‎09-15-2011 05:39 AM

Ok

With ACL and route maps you can use permit on the ACL to match the traffic and deny on the route map to deny the matched traffic in the ACL

And you can do it the other way around

The other route map sequence 20 it means permit anything else like the pemirt any any in the acl as we had first one deny

In brief the above config match the ACL 100 and excluded it from being anted and the. Nat anything else

Hope this help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card