Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
2
Replies

1750+IPSEC+FW+noxauth IPSEC pre shared+VPN Client 3.6+NAT static no access

Robert_Berger
Level 1
Level 1

‎09-05-2002 05:10 AM - edited ‎02-21-2020 12:02 PM

Hello,

1750 IOS 3DES 12.2.11T,

VPN Client 3.6 Windows,

Fix tunnels with no-xauth,

NAT with route-map pool ...

and two STATIC NAT for Servers.

I can access the via vpn client the whole net, but not the Servers with static-NAT.

Some statments of config:

....

ip access-list extended NAT-LIST

deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15

deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255

permit ip 192.168.1011.0 0.0.0.255 any

!

route-map NAT-RMAP permit 10

match ip address NAT-LIST

!

ip local pool vpn-dial-pool 192.168.103.1 192.168.103.254

!

ip nat pool NAT-POOL x.x.x.47 x.x.x.47 netmask 255.255.255.240

ip nat inside source route-map NAT-RMAP pool NAT-POOL overload

!

ip nat inside source static 192.168.101.1 x.x.x.45

ip nat inside source static 192.168.101.11 x.x.x..46

!

Connect OK. Access works, except 192.168.101.1 and .11

What i have to do that static is not used when 192.168.103.x (CPN Client) ist accessing.

i tryed following:

> ip nat inside source static 192.168.1.1 212.27.98.145 route-map NAT-RMAP

but then the no-xauth with the preshared key tunnel does not work anymore....

Why ? What i have wrong? What to do?

Thanks

Labels:
0 Helpful
2 Replies 2

ssoberlik
Level 4
Level 4

‎09-13-2002 09:06 AM

I think the problem is your access-list. You need to deny your servers that you have static NAT on from using the NAT Pool. Try the following ACL.

ip access-list extended NAT-LIST

deny ip 192.168.101.1 255.255.255.255 any

deny ip 192.168.101.11 255.255.255.255 any

deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15

deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255

permit ip 192.168.101.0 0.0.0.255 any

0 Helpful

Robert_Berger
Level 1
Level 1
In response to ssoberlik

‎09-14-2002 09:52 AM

Thanks,

but when I config this list:

ip access-list extended NAT-LIST

deny ip 192.168.101.1 255.255.255.255 any

deny ip 192.168.101.11 255.255.255.255 any

deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15

deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255

permit ip 192.168.101.0 0.0.0.255 any

i receive from IOS by sh access-list NAT-LIST

ip access-list extended NAT-LIST

deny ip any any (15 matches)

deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15

deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255

permit ip 192.168.101.0 0.0.0.255 any

why IOS makes deny ip any any, i don't know. And the router is reloading automaticly with following errors:

Unexpected exception to CPU vector 1200, PC = 80C32A2C

-Traceback= 80C32A2C 80C13340 80C0C3B8 80C0C834 80C0EA80 801CEF34

=== Flushing messages (01:45:07 UTC Thu Mar 4 1993) ===

Queued messages:

Writing crashinfo to flash:crashinfo_19930304-014507*** Unexpected Console FIFO

timeout interrupt ***

PC = 0xfff03e64, Vector = 0x500, SP = 0x8143290c

*** System received a SegV exception ***

signal= 0xb, code= 0x1200, context= 0x81431728

PC = 0x80c32a2c, Vector = 0x1200, SP = 0x8183fbd0

Robert

0 Helpful
Customers Also Viewed These Support Documents