01-30-2007 06:47 PM - edited 03-05-2019 02:04 PM
A couple questions.
If i go to mail.domain.com.au externally i reach the required page.
If i go mail.domain.com.au Internally, I get a DNS error.
I could just add a new DNS Zone, however I want to add it in the router so if I type the external domain locally I can reach the required page.
Another question ...
I have a port forward setup on the router
ip nat inside source static tcp 10.0.2.61 3389 150.101.xxx.xx 3389 extendable
Now when i connect via VPN and try and remote desktop to 10.0.2.61 ... it doesn't work.
However if i disconnect from the vpn and connect via RDP remotely (150.101.xxx.xx) it connects.
When connected via VPN, i can connect to everything via RDP except the IP Address which is in the port forward rule.
My VPN IP Address is 10.0.4.x
How can i get by this?
Help Appreciated
here is some of the config ...
!
ip local pool ippool 10.0.4.1 10.0.4.50
ip classless
ip route 0.0.0.0 0.0.0.0 150.101.xxx.xx
no ip http server
ip http access-class 90
no ip http secure-server
ip nat inside source list nat-allowed interface Vlan13 overload
ip nat inside source static tcp 10.0.2.61 25 150.101.xxx.xx 25 extendable
ip nat inside source static tcp 10.0.2.61 80 150.101.xxx.xx 80 extendable
ip nat inside source static tcp 10.0.2.82 443 150.101.xxx.xx 443 extendable
ip nat inside source static tcp 10.0.2.61 3389 150.101.xxx.xx 3389 extendable
!
!
!
ip access-list standard snmp-allow
permit 10.0.2.0 0.0.0.255
permit 10.0.3.0 0.0.0.255
permit 10.0.4.0 0.0.0.255
!
ip access-list extended allowed-from-internet
permit tcp any host 150.101.xxx.xx eq smtp
permit tcp any host 150.101.xxx.xx eq www
permit tcp any host 150.101.xxx.xx eq 22
permit udp any host 150.101.xxx.xx eq non500-isakmp
permit udp any host 150.101.xxx.xx eq isakmp
deny ip any any
ip access-list extended bogons-and-netbios
remark allow VPN clients full access
permit ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255
permit ip 10.0.3.0 0.0.0.255 10.0.4.0 0.0.0.255
remark deny all NetBIOS leaving the network
deny tcp 10.0.2.0 0.0.0.255 range 135 139 any
deny udp 10.0.2.0 0.0.0.255 range 135 netbios-ss any
deny tcp 10.0.2.0 0.0.0.255 any range 135 139
deny udp 10.0.2.0 0.0.0.255 any range 135 netbios-ss
permit ip any any
ip access-list extended nat-allowed
deny ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255
deny ip 10.0.3.0 0.0.0.255 10.0.4.0 0.0.0.255
deny tcp 10.0.2.0 0.0.0.255 range 135 139 any
deny udp 10.0.2.0 0.0.0.255 range 135 netbios-ss any
deny tcp 10.0.2.0 0.0.0.255 any range 135 139
deny udp 10.0.2.0 0.0.0.255 any range 135 netbios-ss
permit ip 10.0.2.0 0.0.0.255 any
permit ip 10.0.3.0 0.0.0.255 any
ip access-list extended vpn-split-tunnel
permit ip 10.0.2.0 0.0.0.255 10.0.4.0 0.0.0.255
permit ip 10.0.3.0 0.0.0.255 10.0.4.0 0.0.0.255
logging trap debugging
access-list 90 permit 10.0.2.0 0.0.0.255
access-list 90 permit 10.0.3.0 0.0.0.255
access-list 90 permit 10.0.4.0 0.0.0.255
access-list 90 deny any
access-list 142 permit icmp any any
dialer-list 1 protocol ip permit
snmp-server community thinkSNMP RO snmp-allow
snmp-server location xxxxx
snmp-server enable traps tty
snmp-server host 10.0.2.62 version 2c thinkSNMP aaa_server ipsec
no cdp run
!
02-01-2007 02:26 PM
bump
02-02-2007 08:24 AM
Hi
its highly possible that reverse traffic from the Server 10.0.2.61 is being NATed back to the VPN Client, hence failing the session.
Please rate if this helps.
Thanks
HH
02-04-2007 01:08 AM
how I can I go about fixing this?
Help Appreciated!!
02-04-2007 07:12 PM
Hi
you could give the server a secondary IP, then when ur vpn is established ... connect to the new IP instead.
You can assign the sec IP under Advanced TCP/IP setting.
Please rate if this helps.
Thanks
HH
02-06-2007 01:52 PM
Is there anything in which I could do on the router itself?
If so, how would I go about that?
Or would it not be recommended?
Thanks for your help!
02-07-2007 04:56 AM
Hi
you could configure your VPN Server using an IPSec virtual tunnel interface. As only traffic from the transversing inside and outside interfaces would be NATed, hence traffic destined for the VPN client wont be prone to these NAT rules. Follow the link below to a config example section title is "Easy VPN with an IPsec Virtual Tunnel Interface: Example "
Hope this helps.
Thanks
HH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide