- Cisco Community
- Technology and Support
- Networking
- Routing
- VPN NAT Issues
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN NAT Issues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2012 07:05 PM - edited 03-04-2019 05:31 PM
I have a slight problem here. Our setup is as follows Internet -> Main Site Router -> Serial to Remote Site Router -> Voice/Data Network on said Remote Site. On their voice network, they have cameras connected in on the remote site. They want remote access through their main site outside interface AND through their VPN on the same interface. That leaves us with the not NATing VPN traffic problem. Because this is my first experience with route mapping, I was curious if anyone can find where I went wrong. Basically during testing I wasn't able to telnet to certain ports. I'll just include the relevant stuff.
Main Site Router:
interface FastEthernet0/0
description Outside
ip address xxx.xxx.xxx.xxx 255.255.255.240
ip access-group acl-in-outside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect INTERNET out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map vpn
service-policy output QOS-CLASS
!
interface Serial0/0
bandwidth 1500
ip address 10.30.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
ip summary-address eigrp 1 10.30.0.0 255.255.128.0 5
clock rate 2000000
service-policy output QOS-QUEUE-shape_95Perc
router eigrp 1
redistribute static
passive-interface default
no passive-interface Serial0/0
network 10.0.0.0
network 192.168.0.0 0.0.255.255
auto-summary
!
ip local pool vpn-pool-112 10.30.112.1 10.30.112.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.52.240.49 name TimeWarner
ip route 10.30.112.0 255.255.255.0 xxx.xxx.xxx.xxx name RemoteAccessVPN
!
ip http server
ip http secure-server
ip nat inside source route-map RM-natPolicy interface FastEthernet0/0 overload
ip nat inside source static tcp 10.30.129.16 554 xxx.xxx.xxx.xxx 554 route-map rm-vpnNoNat-16 extendable
ip nat inside source static tcp 10.30.16.32 1723 xxx.xxx.xxx.xxx 1723 route-map rm-vpnNoNat-32 extendable
ip nat inside source static tcp 10.30.129.16 3454 xxx.xxx.xxx.xxx 3454 route-map vpnNoNat-16 extendable
ip nat inside source static tcp 10.30.129.17 80 xxx.xxx.xxx.xxx 6081 route-map vpnNoNat-17 extendable
ip nat inside source static tcp 10.30.129.18 80 xxx.xxx.xxx.xxx 6082 route-map rm-vpnNoNat-18 extendable
ip nat inside source static tcp 10.30.129.19 80 xxx.xxx.xxx.xxx 6083 route-map rm-vpnNoNat-19 extendable
ip nat inside source static tcp 10.30.129.20 80 xxx.xxx.xxx.xxx 6084 route-map rm-vpnNoNat-20 extendable
ip nat inside source static tcp 10.30.129.21 80 xxx.xxx.xxx.xxx 6085 route-map rm-vpnNoNat-21 extendable
ip nat inside source static tcp 10.30.129.22 80 xxx.xxx.xxx.xxx 6086 route-map rm-vpnNoNat-22 extendable
ip nat inside source static tcp 10.30.129.23 80 xxx.xxx.xxx.xxx 6087 route-map rm-vpnNoNat-23 extendable
ip nat inside source static tcp 10.30.129.24 80 xxx.xxx.xxx.xxx 6088 route-map rm-vpnNoNat-24 extendable
ip nat inside source static tcp 10.30.129.25 80 xxx.xxx.xxx.xxx 6089 route-map rm-vpnNoNat-25 extendable
ip nat inside source static tcp 10.30.129.26 80 xxx.xxx.xxx.xxx 6090 route-map rm-vpnNoNat-26 extendable
ip nat inside source static tcp 10.30.129.28 80 xxx.xxx.xxx.xxx 6091 route-map rm-vpnNoNat-28 extendable
ip nat inside source static tcp 10.30.129.29 80 xxx.xxx.xxx.xxx 6092 route-map rm-vpnNoNat-29 extendable
!
!
ip access-list extended acl-in-outside
remark This ACL filters traffic from the outside to the inside
remark Deny fragments, which are sometimes abused
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
deny ip any any fragments
permit tcp xxx.xxx.xxx.xxx 0.0.0.15 any eq 22
remark Deny packets with a TTL less than 2 (breaks traceroute)
remark Deny IP Options:
deny ip any any option any-options
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any general-parameter-problem
permit icmp any any host-unreachable
permit icmp any any net-unreachable
permit icmp any any packet-too-big
permit icmp any any parameter-problem
permit icmp any any port-unreachable
permit icmp any any time-exceeded
permit icmp any any ttl-exceeded
permit icmp any any unreachable
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit gre any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp host 10.30.8.1 any eq 22
permit tcp any any eq 1723
permit tcp host xxx.xxx.xxx.xxx any eq 22
permit tcp any host xxx.xxx.xxx.xxx eq 3454
permit tcp any host xxx.xxx.xxx.xxx eq 554
permit tcp any host xxx.xxx.xxx.xxx eq 6084
permit tcp any host xxx.xxx.xxx.xxx eq 6085
permit tcp any host xxx.xxx.xxx.xxx eq 6086
permit tcp any host xxx.xxx.xxx.xxx eq 6087
permit tcp any host xxx.xxx.xxx.xxx eq 6088
permit tcp any host xxx.xxx.xxx.xxx eq 6089
permit tcp any host xxx.xxx.xxx.xxx eq 6090
permit tcp any host xxx.xxx.xxx.xxx eq 6091
permit tcp any host xxx.xxx.xxx.xxx eq 6092
permit tcp any host xxx.xxx.xxx.xxx eq 6081
permit tcp any host xxx.xxx.xxx.xxx eq 6082
permit tcp any host xxx.xxx.xxx.xxx eq 6083
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.16 eq 554
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.16 eq 3454
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.17 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.18 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.19 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.20 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.21 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.22 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.23 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.24 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.25 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.26 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.28 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.29 eq www
permit tcp 10.30.112.0 0.0.0.255 host 10.30.16.32 eq 1723
ip access-list extended acl-nat-outside
deny ip 10.30.0.0 0.0.255.255 10.30.112.0 0.0.0.255
deny ip 192.168.1.0 0.0.0.255 10.30.112.0 0.0.0.255
permit ip 10.30.0.0 0.0.255.255 any
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended acl-qos-Intranet
permit ip 10.30.0.0 0.0.255.255 10.30.0.0 0.0.255.255
ip access-list extended no-nat-outside
deny ip host 66.195.146.130 any
ip access-list extended no-nat-vpn-10.30.129.1-3454
deny ip host 10.30.129.16 10.30.112.0 0.0.0.255
permit tcp host 10.30.129.16 eq 3454 any
ip access-list extended rm-nat-16
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.16 eq 3454
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.16 eq 554
ip access-list extended rm-nat-17
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.17 eq 80
ip access-list extended rm-nat-18
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.18 eq 80
ip access-list extended rm-nat-19
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.19 eq 80
ip access-list extended rm-nat-20
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.20 eq 80
ip access-list extended rm-nat-21
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.21 eq 80
ip access-list extended rm-nat-22
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.22 eq 80
ip access-list extended rm-nat-23
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.23 eq 80
ip access-list extended rm-nat-24
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.24 eq 80
ip access-list extended rm-nat-25
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.25 eq 80
ip access-list extended rm-nat-26
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.26 eq 80
ip access-list extended rm-nat-28
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.28 eq 80
ip access-list extended rm-nat-29
permit tcp 10.30.112.0 0.0.0.255 host 10.30.129.29 eq 80
ip access-list extended rm-nat-32
permit tcp 10.30.112.0 0.0.0.255 host 10.30.16.32 eq 1723
ip access-list extended rm-noNat
remark Traffic matching this ACL should be NAT exempt
permit ip 10.30.0.0 0.0.255.255 10.30.112.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 10.30.112.0 0.0.0.112
ip access-list extended vpn-splitTunnel
remark Allow access to these networks:
permit ip 10.30.0.0 0.0.255.255 10.30.112.0 0.0.0.255
!
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 10.30.0.0 0.0.255.255
access-list 10 permit xxx.xxx.xxx.xxx 0.0.0.15
access-list 110 remark Used with Control Plane Policing, traffic permitted by this ACL will be DROPPED!
access-list 110 deny tcp xxx.xxx.xxx.xxx 0.0.0.15 any eq 22
access-list 110 deny tcp host 66.195.146.130 any eq 22
access-list 110 deny tcp 10.0.0.0 0.255.255.255 any eq 22
access-list 110 deny tcp 172.16.0.0 0.15.255.255 any eq 22
access-list 110 deny tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 110 deny tcp 10.0.0.0 0.255.255.255 any eq telnet
access-list 110 deny tcp 172.16.0.0 0.15.255.255 any eq telnet
access-list 110 deny tcp 192.168.0.0 0.0.255.255 any eq telnet
route-map rm-vpnNoNat-18 deny 10
match ip address rm-noNat-18
!
route-map rm-vpnNoNat-18 permit 20
match ip address rm-nat-18
!
route-map rm-vpnNoNat-19 deny 10
match ip address rm-noNat-19
!
route-map rm-vpnNoNat-19 permit 20
match ip address rm-nat-19
!
route-map rm-vpnNoNat-29 deny 10
match ip address rm-noNat-29
!
route-map rm-vpnNoNat-29 permit 20
match ip address rm-nat-29
!
route-map rm-vpnNoNat-28 deny 10
match ip address rm-noNat-28
!
route-map rm-vpnNoNat-28 permit 20
match ip address rm-nat-28
!
route-map rm-vpnNoNat-26 deny 10
match ip address rm-noNat-26
!
route-map rm-vpnNoNat-26 permit 20
match ip address rm-nat-26
!
route-map rm-vpnNoNat-16 deny 10
match ip address rm-noNat-16
!
route-map rm-vpnNoNat-16 permit 20
match ip address rm-nat-16
!
route-map rm-vpnNoNat-25 deny 10
match ip address rm-noNat-25
!
route-map rm-vpnNoNat-25 permit 20
match ip address rm-nat-25
!
route-map rm-vpnNoNat-17 deny 10
match ip address rm-noNat-17
!
route-map rm-vpnNoNat-17 permit 20
match ip address rm-nat-17
!
route-map rm-vpnNoNat-24 deny 10
match ip address rm-noNat-24
!
route-map rm-vpnNoNat-24 permit 20
match ip address rm-nat-24
!
route-map rm-vpnNoNat-23 deny 10
match ip address rm-noNat-23
!
route-map rm-vpnNoNat-23 permit 20
match ip address rm-nat-23
!
route-map rm-vpnNoNat-32 deny 10
match ip address rm-noNat-32
!
route-map rm-vpnNoNat-32 permit 20
match ip address rm-nat-32
!
route-map rm-vpnNoNat-22 deny 10
match ip address rm-noNat-22
!
route-map rm-vpnNoNat-22 permit 20
match ip address rm-nat-22
!
route-map rm-vpnNoNat-21 deny 10
match ip address rm-noNat-21
!
route-map rm-vpnNoNat-21 permit 20
match ip address rm-nat-21
!
route-map rm-vpnNoNat-20 deny 10
match ip address rm-noNat-20
!
route-map rm-vpnNoNat-20 permit 20
match ip address rm-nat-20
!
route-map servertest permit 10
match ip address acl-in-outside
!
route-map RM-natPolicy permit 10
match ip address acl-nat-outside
!
route-map RM-natPolicy deny 20
Remote Router
interface FastEthernet0/0
description Data
ip address 10.30.128.1 255.255.255.0
ip helper-address 10.30.16.32
duplex auto
speed auto
service-policy output QOS-CLASS
!
interface Serial0/0
bandwidth 1500000
ip address 10.30.0.2 255.255.255.252
encapsulation ppp
ip summary-address eigrp 1 10.30.128.0 255.255.252.0 5
clock rate 2000000
!
interface FastEthernet0/1
ip address 10.30.129.1 255.255.255.0
ip helper-address 10.30.16.32
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router eigrp 1
passive-interface default
no passive-interface Serial0/0
network 10.0.0.0
auto-summary
If anyone has any ideas thanks in advance. Or if you need any other information I'll give it.
- Labels:
-
Other Routing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide