VPN - Internal Server responses with External IP on ping

christoph.schulte · ‎06-15-2012

Hi everyone,

I have the following szenario:

A Cisco router from ISP and an internal network. The ISP configured VPN on the router.

VPN works fine, except when i want to ping a certain server in the internal network (it is a lotus domino mail-server)

When i ping the mail server (192.168.100.1) over VPN i get an response from the routers external ip.

But when i ping another server (192.168.100.2 - DC) the response is correct!

How strange is this?

Can there be a dns cache on the router?

There is a static nat for mail to 192.168.100.1. Can this be a problem? (Would be very strange)

Has somebody an idea?

Many thanks

Jennifer Halim · ‎06-15-2012

Yes, static NAT is the issue. You are spot on!!

On the static NAT, you would need to include route-map to deny traffic between the 2 LANs, and it will reply with the correct IP Address. Otherwise, it will reply with the NATed IP.

christoph.schulte · ‎06-15-2012

Ok that helped quite a lot!

But how can this happen. The static NAT is only for mail traffic (port 25). Why then is all traffic NATed (from this single host)?

How would such route-map look like, because i have to provide access to the mail server from the VPN, but also keep the nat for outgoing/incoming mail traffic.

Jennifer Halim · ‎06-15-2012

access-list 123 deny ip host 192.168.100.1

access-list 123 permit ip host 192.168.100.1 any

route-map nonat-mail permit 10

match ip address 123

then add the above route-map at the end of your static NAT statement

rizwanr74 · ‎06-15-2012

Hi Christoph,

I believe this is to do with your internal dns server. Please do a nslookup (i.e. for mx recode) on your PC for your

domino mail-server and see, what ip your internal dns server resolve with for mx recode.

thanks

Rizwan Rafeek.