Solved: Re: Cannot telnet within VPN

Anthony.Herman · ‎08-09-2013

I have a lotus domino server running inside the network. When I connect with my IPSEC VPN I can't telnet to the internal address. Because I have a nat rule set up on the outside I can still telnet to the external IP with telnet x.x.x.x 1352 and get connected. Why wouldn't I be able to telnet to the internal address? As far as everything else on the inside I have no issues accessing anything from my VPN session that I have tried.

Config:

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

ip domain name xxxxx

ip name-server 192.168.100.102

ip inspect name DEFAULT-INSPECT icmp

ip inspect name DEFAULT-INSPECT tcp

ip inspect name DEFAULT-INSPECT udp

no ipv6 cef

!

multilink bundle-name authenticated

!

password encryption aes

!

object-group network SOURCE_MGMT

192.168.100.0 255.255.255.0

173.160.106.40 255.255.255.248

71.63.249.0 255.255.255.0

!

object-group service SSH

tcp-udp eq 22

!

username admin privilege 15 secret 5 $1$Iu22$OiNXyxdNEkJiCzf3ulYe20

username greyduck privilege 15 secret 5 $1$MNkY$cpYetNgs4sPtiSg/ldVD31

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group LEFxxxx

key xxxxx

dns 192.168.100.102

wins 192.168.100.102

domain xxxx.local

pool LEF-Pool

acl 120

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

archive

log config

hidekeys

!

ip ssh time-out 60

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address x.x.x.65 255.255.255.0 secondary

ip address x.x.x.67 255.255.255.0 secondary

ip address x.x.x.68 255.255.255.0 secondary

ip address x.x.x.69 255.255.255.0 secondary

ip address x.x.x.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

!

interface Vlan1

ip address 192.168.100.15 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool LEF-Pool 192.168.11.10 192.168.11.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.254

ip route 172.16.100.0 255.255.255.0 192.168.100.90

no ip http server

no ip http secure-server

!

ip nat pool WAN x.x.x.1 x.x.x.1 prefix-length 24

ip nat pool WAN-65 x.x.x.65 x.x.x.65 prefix-length 24

ip nat pool WAN-67 x.x.x.67 x.x.x.67 prefix-length 24

ip nat pool WAN-69 x.x.x.69 x.x.x.69 prefix-length 24

ip nat pool WAN-68 x.x.x.68 x.x.x.68 prefix-length 24

ip nat source static 192.168.100.214 x.x.x.68

ip nat inside source list 100 pool WAN overload

ip nat inside source list 101 pool WAN-65 overload

ip nat inside source list 102 pool WAN-67 overload

ip nat inside source list 103 pool WAN-68 overload

ip nat inside source list 104 pool WAN-69 overload

ip nat inside source static tcp 192.168.100.213 25 x.x.x.1 25 extendable

ip nat inside source static tcp 192.168.100.213 80 x.x.x.1 80 extendable

ip nat inside source static tcp 192.168.100.213 110 x.x.x.1 110 extendable

ip nat inside source static tcp 192.168.100.213 139 x.x.x.1 139 extendable

ip nat inside source static tcp 192.168.100.213 143 x.x.x.1 143 extendable

ip nat inside source static tcp 192.168.100.213 389 x.x.x.1 389 extendable

ip nat inside source static tcp 192.168.100.213 443 x.x.x.1 443 extendable

ip nat inside source static tcp 192.168.100.213 445 x.x.x.1 445 extendable

ip nat inside source static tcp 192.168.100.213 1352 x.x.x.1 1352 extendable

ip nat inside source static tcp 192.168.100.213 3101 x.x.x.1 3101 extendable

ip nat inside source static tcp 192.168.100.197 6001 x.x.x.1 6001 extendable

ip nat inside source static tcp 192.168.100.213 7443 x.x.x.1 7443 extendable

ip nat inside source static tcp 192.168.100.213 8080 x.x.x.1 8080 extendable

ip nat inside source static tcp 192.168.100.213 8085 x.x.x.1 8085 extendable

ip nat inside source static tcp 192.168.100.213 8642 x.x.x.1 8642 extendable

ip nat inside source static tcp 192.168.100.213 8889 x.x.x.1 8889 extendable

ip nat inside source static tcp 192.168.100.213 28315 x.x.x.1 28315 extendable

ip nat inside source static tcp 192.168.100.213 50125 x.x.x.1 50125 extendable

ip nat inside source static tcp 192.168.100.220 3389 x.x.x.1 63389 extendable

ip nat inside source static tcp 192.168.100.161 21 x.x.x.65 21 extendable

ip nat inside source static tcp 192.168.100.161 3389 x.x.x.65 3389 extendable

ip nat inside source static tcp 192.168.100.161 4899 x.x.x.65 4899 extendable

ip nat inside source static tcp 192.168.100.174 80 x.x.x.67 80 extendable

ip nat inside source static tcp 192.168.100.174 443 x.x.x.67 443 extendable

ip nat inside source static tcp 192.168.100.174 3389 x.x.x.67 3389 extendable

ip nat inside source static tcp 192.168.100.214 80 x.x.x.68 80 extendable

ip nat inside source static tcp 192.168.100.214 1352 x.x.x.68 1352 extendable

ip nat inside source static tcp 192.168.100.214 1533 x.x.x.68 1533 extendable

ip nat inside source static tcp 192.168.100.161 8088 x.x.x.68 8088 extendable

ip nat inside source static tcp 192.168.100.202 80 x.x.x.69 80 extendable

ip nat inside source static tcp 192.168.100.202 1494 x.x.x.69 1494 extendable

ip nat inside source static tcp 192.168.100.202 2598 x.x.x.69 2598 extendable

ip nat inside source static tcp 192.168.100.202 6001 x.x.x.69 6001 extendable

ip nat inside source static 192.168.100.202 x.x.x.69

!

ip access-list extended MANAGEMENT

permit object-group SSH object-group SOURCE_MGMT any

ip access-list extended OUTSIDE-IN

!

logging trap debugging

access-list 11 permit 192.168.100.161

access-list 12 permit 192.168.100.174

access-list 12 permit 192.168.100.192

access-list 13 permit 192.168.100.214

access-list 14 permit 192.168.100.202

access-list 100 deny ip host 192.168.100.161 any

access-list 100 deny ip host 192.168.100.174 any

access-list 100 deny ip host 192.168.100.192 any

access-list 100 deny ip host 192.168.100.202 any

access-list 100 deny ip host 192.168.100.214 any

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.10

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.11

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.12

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.13

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.14

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.15

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.16

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.17

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.18

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.19

access-list 100 deny ip 192.168.100.0 0.0.0.255 host 192.168.11.20

access-list 100 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 deny ip host 192.168.100.161 192.168.11.0 0.0.0.255

access-list 101 permit ip host 192.168.100.161 any

access-list 102 deny ip host 192.168.100.174 192.168.11.0 0.0.0.255

access-list 102 deny ip host 192.168.100.192 192.168.11.0 0.0.0.255

access-list 102 permit ip host 192.168.100.174 any

access-list 102 permit ip host 192.168.100.192 any

access-list 103 deny ip host 192.168.100.214 192.168.11.0 0.0.0.255

access-list 103 permit ip host 192.168.100.214 any

access-list 104 deny ip host 192.168.100.202 192.168.11.0 0.0.0.255

access-list 104 permit ip host 192.168.100.202 any

access-list 120 permit ip 192.168.100.0 0.0.0.255 any

!

radius-server host 192.168.100.212 auth-port 1645 acct-port 1646

radius-server key radius

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class MANAGEMENT in

transport input ssh

!

scheduler max-task-time 5000

end

Lef871(config)#

Lei Tian · ‎08-13-2013

Hi,

You got it. Conditional static NAT is the right way. You need to stop the NAT translation for inside to VPN pool address. An alternate solution is to use tunnel, dynamic or static for your VPN traffic. Apply NAT outside only to your physical interface, not in tunnel. So the NAT will not do the translation if it sees the outbound interface has no NAT outside.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

View solution in original post

Lei Tian · ‎08-10-2013

Hi Anthnoy,

What's the server IP? Is it NATed? If yes, can you telnet to the NATed IP?

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Anthony.Herman · ‎08-12-2013

The inside server IP is 192.168.100.213, I can telnet to the Nated IP of x.x.x.1:1352 - When I connect with VPN and am inside the network and I try to telnet to the inside IP of 192.168.100.213:1352 it fails. When I wireshark it I am getting replies from the external IP in three way handshake. If I remove the NAT translation I can VPN to the internal address of 192.168.100.213:1352.

If I do a show IP nat translations | include 1352 during my telnet attempt from the VPN connection there *is* a translation rule created that is mapping

tcp x.x.x.1:1352 192.168.100.213:1352 192.168.11.13:3346 (VPN IP) 192.168.11.13:3346

So I know what is going on, my question is how do I fix this so it does not apply this translation to a VPN session.

Anthony.Herman · ‎08-12-2013

I got it to work with a route-map appended to the end of the nat rule

route-map Nonat1 permit 10

match ip address 130

access-list 130 deny ip 192.168.11.0 0.0.0.255 any

ip nat inside source static tcp 192.168.100.213 1352 x.x.x.1 1352 route-map Nonat1 extendable

I just can't help but feel there is a better way to do this.

Lei Tian · ‎08-13-2013

Hi,

You got it. Conditional static NAT is the right way. You need to stop the NAT translation for inside to VPN pool address. An alternate solution is to use tunnel, dynamic or static for your VPN traffic. Apply NAT outside only to your physical interface, not in tunnel. So the NAT will not do the translation if it sees the outbound interface has no NAT outside.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App