09-05-2002 05:10 AM - edited 02-21-2020 12:02 PM
Hello,
1750 IOS 3DES 12.2.11T,
VPN Client 3.6 Windows,
Fix tunnels with no-xauth,
NAT with route-map pool ...
and two STATIC NAT for Servers.
I can access the via vpn client the whole net, but not the Servers with static-NAT.
Some statments of config:
....
ip access-list extended NAT-LIST
deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15
deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
permit ip 192.168.1011.0 0.0.0.255 any
!
route-map NAT-RMAP permit 10
match ip address NAT-LIST
!
ip local pool vpn-dial-pool 192.168.103.1 192.168.103.254
!
ip nat pool NAT-POOL x.x.x.47 x.x.x.47 netmask 255.255.255.240
ip nat inside source route-map NAT-RMAP pool NAT-POOL overload
!
ip nat inside source static 192.168.101.1 x.x.x.45
ip nat inside source static 192.168.101.11 x.x.x..46
!
Connect OK. Access works, except 192.168.101.1 and .11
What i have to do that static is not used when 192.168.103.x (CPN Client) ist accessing.
i tryed following:
> ip nat inside source static 192.168.1.1 212.27.98.145 route-map NAT-RMAP
but then the no-xauth with the preshared key tunnel does not work anymore....
Why ? What i have wrong? What to do?
Thanks
09-13-2002 09:06 AM
I think the problem is your access-list. You need to deny your servers that you have static NAT on from using the NAT Pool. Try the following ACL.
ip access-list extended NAT-LIST
deny ip 192.168.101.1 255.255.255.255 any
deny ip 192.168.101.11 255.255.255.255 any
deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15
deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
permit ip 192.168.101.0 0.0.0.255 any
09-14-2002 09:52 AM
Thanks,
but when I config this list:
ip access-list extended NAT-LIST
deny ip 192.168.101.1 255.255.255.255 any
deny ip 192.168.101.11 255.255.255.255 any
deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15
deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
permit ip 192.168.101.0 0.0.0.255 any
i receive from IOS by sh access-list NAT-LIST
ip access-list extended NAT-LIST
deny ip any any (15 matches)
deny ip 192.168.101.0 0.0.0.255 x.x.x.x.44 0.0.0.15
deny ip 192.168.101.0 0.0.0.255 192.168.103.0 0.0.0.255
permit ip 192.168.101.0 0.0.0.255 any
why IOS makes deny ip any any, i don't know. And the router is reloading automaticly with following errors:
Unexpected exception to CPU vector 1200, PC = 80C32A2C
-Traceback= 80C32A2C 80C13340 80C0C3B8 80C0C834 80C0EA80 801CEF34
=== Flushing messages (01:45:07 UTC Thu Mar 4 1993) ===
Queued messages:
Writing crashinfo to flash:crashinfo_19930304-014507*** Unexpected Console FIFO
timeout interrupt ***
PC = 0xfff03e64, Vector = 0x500, SP = 0x8143290c
*** System received a SegV exception ***
signal= 0xb, code= 0x1200, context= 0x81431728
PC = 0x80c32a2c, Vector = 0x1200, SP = 0x8183fbd0
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide