12-15-2010 05:13 AM - edited 03-06-2019 02:32 PM
hi!
i have a vpn problem with nat.
some servers in our network have an external IP address, and they are nat'd like:
"ip nat inside source static 172.17.0.66 outside_address_A"
vpn tunnel is working ok for the stations that doesn't have an external address,
but from servers that have external ip, i can't ping other side.
From other side,i can ping our router GW, but there is no reply if i try to ping one of servers.
i created acc list as follows(which should permit vpn traffic from being nat'd):
ip access-list extended NO-NAT
deny ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
permit ip 172.17.0.0 0.0.127.255 any
and still,there is no ping reply.
what's wrong?
please help....
here is the router config...
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
lifetime 8000
crypto isakmp key 6 KEY address PARTNER_GW no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto ipsec profile vpn
description vpn
set security-association lifetime seconds 2000
set security-association idle-time 2000
set transform-set myset
set pfs group2
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to PARTNER_GW
set peer PARTNER_GW
set security-association lifetime seconds 2000
set transform-set myset
set pfs group2
match address 104
interface FastEthernet0
ip address OUR_GW 255.255.255.240
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 172.17.0.1 255.255.128.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip nat inside source route-map NO-NAT interface FastEthernet 0 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0 overload
ip nat inside source static 172.17.0.66 address_A
ip nat inside source static 172.17.0.55 address_B
ip nat inside source static 172.17.0.65 address_C
ip nat inside source static 172.17.0.67 address_D
ip nat inside source static 172.17.0.69 address_E
ip nat inside source static 172.17.0.60 address_F
ip nat inside source static 172.17.0.10 address_G
ip nat inside source static 172.17.0.56 address_H
!
ip access-list extended NO-NAT
deny ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
permit ip 172.17.0.0 0.0.127.255 any
access-list 104 remark vpn
access-list 104 remark SDM_ACL Category=4
access-list 104 remark vpn
access-list 104 permit ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
access-list 104 remark vpn
access-list 104 permit ip 172.19.237.0 0.0.0.15 172.17.0.0 0.0.127.255 log
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip host 172.17.0.10 any
access-list 105 remark vpn
access-list 105 deny ip 172.19.237.0 0.0.0.15 172.17.0.0 0.0.127.255 log
access-list 105 remark vpn
access-list 105 deny ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
access-list 105 permit ip 172.17.0.0 0.0.127.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
route-map NO-NAT permit 10
match ip address NO-NAT
thx for help!
12-15-2010 05:41 AM
Hi,
ip nat inside source route-map NO-NAT interface FastEthernet 0 overload
It is for hosts in your LAN initiating a connection not for outside hosts trying to connect to your servers.
ip nat inside source static 172.17.0.66 address_A
you should change these to static PAT: e.g ip nat inside source static tcp 172.17.0.66 80 address_A 80 if you want to port forward http
Tell us if it works.
Regards.
Alain.
12-16-2010 12:51 AM
Hello!
if i apply changes as you said:
"ip nat inside source static 172.17.0.66 address_A"
to
"ip nat inside source static tcp 172.17.0.66 80 address_A 80"
that would be ok if that computer is only an web server...what if it is a web server,a mail server,and PC (all in one)?
from that computer i need to be able to surf the internet,to connect remotely on it from home,also to connect on others computers...
i need full functionality on that station...
is there a way to include all ports in one step?
something like "ip nat inside source static tcp 172.17.0.66 21,23,80,22,1053 address_A 21,23,80,22,1053"
or
"ip nat inside source static tcp 172.17.0.66 all address_A all" ?
172.17.0.66 is a development PC, while other adresses are router to IBM as400 machines (on them i need only few protocols)
thx for help!
12-16-2010 01:16 AM
Hi,
is there a way to include all ports in one step?
No you have to do multiple statements, one for each service.
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide