Route-Map Problems - Sanity Needed!

simon.green · ‎07-21-2010

Hi All,

firstly i do appologise for posting yet again with this, however i do seem to have got a little bit closer to the issue. I just dont seem to be able to fix it:(

Here is the explanation ....

At the Main Office we have a Cisco 2600 Router (IOS 12.3). A Remote Site has a Linksys Router and this connects to the Main office Cisco by an IP Sec Tunnel (Site-To-Site VPN).

All works fine’ish

On the Cisco:

77.88.44.82 Nat’s to 192.168.0.10 (A Small Business Server)

77.88.44.83 Nat’s to 192.168.0.12 (A VoIP Server)

Both networks can ping everything on each other’s network addresses

192.168.0.10 also hosts a PPTP server which has now broken. From the 192.168.0.10 Server when I go to www.whatsmyip.org it is showing as the Routers IP (77.88.44.81) and not the natted address of the server (77.88.44.82).

If I change the following lines in config from:

ip nat inside source static 192.168.0.10 77.88.44.82 route-map nonat

ip nat inside source static 192.168.0.12 77.88.44.83 route-map nonat

to:

ip nat inside source static 192.168.0.10 77.88.44.82

ip nat inside source static 192.168.0.12 77.88.44.83

then go to www.whatsmyip.org it is showing at 77.88.44.82. The only problem with that is that the remote network (192.168.254.0) now cannot ping or access 192.168.0.10, or 192.168.0.12 because it is been natted with all traffic.

I know that the PPTP VPN cannot be estabished as the GRE tunnle cannot come up. It see's traffic coming in from 77.88.44.81 and not 77.88.44.82.

Hope the above makes a bit of sense, and not just the rambling of a mad man?

Any got any idea’s, about 5 weeks on this now and seriously starting to loose the little sanity I had?

Config is attachedJ

Cheers

Si

Giuseppe Larosa · ‎07-21-2010

Hello Simon,

you have provided the router configuration, but no hint on who is the PPTP other endpoint I can guess it is a public address somewhere on the internet.

Removing the route-map nonat totally breaks connectivity with the LAN to LAN IPSec VPN as you have seen.

you could use a modified ACL to be invoked by the route-map like

access-list 121 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 121 permit ip 192.168.0.0 0.0.0.255 any

for 192.168.0.10 you can use

access-list 123 deny ip host 192.168.0.10 192.168.254.0 0.0.0.255

access-list 123 permit gre host 192.168.0.10 any

access-list 123 permit ip host 192.168.0.10 any

in this way you are using a more accurate ACL this also means that you will use two route-maps nonat10 invoking acl 123 and nonat13 for the other IP address invoking a similar using host 192.168.0.13

with the same line of thought I would modify the ACL used with the nat overload command in the following way:

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 101 deny ip host 192.168.0.10 any

access-list 101 deny ip host 192.168.0.13 any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 permit ip 10.10.0.0 0.0.255.255 any

The idea is to avoid any possible ambiguity in NAT operation.

You can check NAT translations on the router itself using:

sh ip nat translations

sh ip nat translations | include 192.168.0.10

We need to be aware that if a wrong NAT entry is built it can cause problems so ACLs have to designed to avoid any possible multiple match in different places/NAT commands as it happens with current configuration.

Hope to help

Giuseppe

simon.green · ‎07-21-2010

Hi There Giuseppe,

Many Thanks for your response. You are correct they are Remote Users from anywhere on the Net. Going on what you have said I am guessing something like:

ip nat inside source static 192.168.0.10 77.86.45.82 route-map nonat82
ip nat inside source static 192.168.0.12 77.86.45.83 route-map nonat83

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip host 192.168.0.10 any
access-list 101 deny ip host 192.168.0.12 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 182 deny ip host 192.168.0.10 192.168.254.0 0.0.0.255
access-list 182 permit gre host 192.168.0.10 any
access-list 182 permit ip host 192.168.0.10 any

access-list 183 deny ip host 192.168.0.12 192.168.254.0 0.0.0.255
access-list 183 permit ip host 192.168.0.12 any

route-map nonat82 permit 10
match ip address 182

route-map nonat83 permit 10
match ip address 183

On the access lists, for example 182, would i need to include all the ports? for example would my access list 182 need all these as that are in access list 110?

access-list 110 permit tcp any host 77.88.44.82 eq 1723
access-list 110 permit tcp any host 77.88.44.82 eq 4125
access-list 110 permit tcp any host 77.88.44.82 eq 443
access-list 110 permit tcp any host 77.88.44.82 eq 444
access-list 110 permit tcp any host 77.88.44.82 eq 993
access-list 110 permit tcp any host 77.88.44.82 eq smtp
access-list 110 permit tcp any host 77.88.44.82 eq 8019
access-list 110 permit udp any host 77.88.44.82 eq 8019

Many Thanks Again

Si

Giuseppe Larosa · ‎07-21-2010

Hello Simon,

>> On the access lists, for example 182, would i need to include all the ports?

no, with proposed config we are opening for NAT at the IP level

ACL 110 has a different use: it is used inbound on external L3 interface to decide what IP flows can access internal network and it is part of a security policy.

You have actually ACL 111 applied to dialer0 interface.

Hope to help

Giuseppe