Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1664
Views
0
Helpful
11
Replies

Client VPN with existing STATIC NAT for other VPN tunnel

derict
Level 1
Level 1

‎04-17-2013 07:15 AM

Hi All,

I have a situation where i need to NAT all the Server IP in LAN to another IP range due to NSOC monitoring. On top of that, i need to create a Client VPN setup at the same router. I managed to configure it, but not able to PING any of the internal IP (all range). I found out it was due to the STATIC NAT i specified for the NSOC VPN tunnel.

My Q is, is there any workaround to disable any NAT for VPN client or we can still establish the CLIENT VPN but mobile user need to access server with the NATted IP?

My revised configuration as per below;

interface GigabitEthernet0/0
description ### WAN connection###
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.500
description ### Connection to WAN ###
encapsulation dot1Q 500
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/1
description ### Connection to LAN ###
ip address 10.10.200.2 255.255.255.192
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Dialer1
description PPPOE Config
mtu 1492
ip address 202.188.1.5 255.255.255.248
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname PPPOE@UNIFI
ppp chap password 7 asdkuadhwekdejkdjae
ppp pap sent-username PPPOE@UNIFI password 7 asdkuadhwekdejkdjae
crypto map NSOC
!
ip nat inside source list 100 interface Dialer1 overload

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key NSOCKEY address 8.8.8.8
!
crypto ipsec transform-set VPNUMW esp-3des esp-md5-hmac
!
crypto map NSOC 20 ipsec-isakmp
set peer 8.8.8.8
set transform-set VPNSET
match address NSOC
!
ip nat inside source static 192.168.1.1 129.100.100.1 extendable
ip nat inside source static 192.168.2.1 129.100.100.2 extendable
ip nat inside source static 192.168.11.1 129.100.100.3 extendable
ip nat inside source static 10.10.10.1 129.100.100.4 extendable
ip nat inside source static 10.10.10.200 129.100.100.5 extendable
ip nat inside source static 192.168.15.1 129.100.100.6 extendable
ip nat inside source static 192.168.17.1 129.100.100.7 extendable
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 10.10.200.1
ip route 192.168.0.0 255.255.0.0 10.10.200.1
!
ip access-list extended NSOC
permit ip 129.100.100.0 0.0.0.255 188.111.10.0 0.0.0.255
!
access-list 100 remark INTERNET
access-list 100 permit ip 10.10.200.0 0.0.0.63 any
access-list 100 remark INTERNET
!

Above is the current config. I've tested the following CLIENT VPN configuration but its not working.

aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group clientvpn
key remotevpn
pool VPN-Pool
acl VPNCLIENT
!
ip local pool VPN-Pool 10.10.200.65 10.10.200.126

!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map NSOC client authentication list userauthen
crypto map NSOC isakmp authorization list groupauthor
crypto map NSOC client configuration address respond
crypto map NSOC 10 ipsec-isakmp dynamic dynmap
!
!
access-list 101 permit ip 10.10.200.0 0.0.0.63 10.10.200.64 0.0.0.63
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.200.64 0.0.0.63
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.10.200.64 0.0.0.63
!
access-list 100 remark INTERNET
access-list 100 deny   ip 10.10.100.0 0.0.0.63 10.10.100.64 0.0.0.63
access-list 100 deny   ip 10.10.10.0 0.0.0.255 10.10.100.64 0.0.0.63
access-list 100 deny   ip 192.168.0.0 0.0.255.255 10.10.100.64 0.0.0.63
access-list 100 permit ip 10.10.100.0 0.0.0.63 any
access-list 100 remark INTERNET
!

Hope someone can help or give some idea on this.

Thank you.

Labels:
0 Helpful
11 Replies 11

rizwanr74
Level 7
Level 7

‎04-17-2013 08:22 AM

"My Q is, is there any workaround to disable any NAT for VPN client or we  can still establish the CLIENT VPN but mobile user need to access  server with the NATted IP?"

Hi Derict,

What you need to create is no-nat between your VPN-dhcp-pool address range and public IPs, for which traffic is coming in.

Please follow the example below.

ip access-list extended no-nat

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.1

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.2

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.3

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.4

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.5

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.6

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.7

ip nat inside source list no-nat interface Dialer1 overload

At last be sure to include any internal subnet need access to internet as a permit line in the acl: no-nat example below.

permit ip 10.100.0.0 0.0.255.255 any

FYI...

Deny lines must come before the permit line in the overload command.

Hope that helps.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

0 Helpful

derict
Level 1
Level 1
In response to rizwanr74

‎04-17-2013 09:40 AM

Hi Rizwan,

Thank you for your advise, i've actually tested with NO-NAT before but its not working. I did test it again with your advise but still fail.

In fact, if i added my router interface IP as one of the STATIC NAT as per below, i can't ping after i connected through VPN too. But, if i removed it, i can PING ..

ip nat inside source static 10.10.200.2 129.100.100.8 extendable

I know my problem is with the STATIC NAT... Anymore suggestion?

0 Helpful

rizwanr74
Level 7
Level 7
In response to derict

‎04-17-2013 09:52 AM

Hi Derict,

Can you please post the acl:VPNCLIENT

CCIE # 10510
0 Helpful

derict
Level 1
Level 1
In response to rizwanr74

‎04-17-2013 10:04 AM

Hi Rizwan,

That is a typo, in fact the VPNCLIENT = 101

access-list 101 permit ip 10.10.200.0 0.0.0.63 10.10.200.64 0.0.0.63

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.200.64 0.0.0.63

access-list 101 permit ip 192.168.0.0 0.0.255.255 10.10.200.64 0.0.0.63

It is defined for SPLITTUNNELING only ..

0 Helpful

rizwanr74
Level 7
Level 7
In response to derict

‎04-17-2013 10:46 AM

Hi Derict,

You need to below permits line in the ACL:VPNCLIENT

                                                                                                                                                                                                                                        
permitiphost129.100.100.110.10.200.640.0.0.63






permitiphost129.100.100.210.10.200.640.0.0.63






permitiphost129.100.100.310.10.200.640.0.0.63






permitiphost129.100.100.410.10.200.640.0.0.63






permitiphost129.100.100.510.10.200.640.0.0.63






permitiphost129.100.100.610.10.200.640.0.0.63






permitiphost129.100.100.710.10.200.640.0.0.63

permit ip host 129.100.100.1    10.10.200.64    0.0.0.63                   
permit ip host 129.100.100.2    10.10.200.64    0.0.0.63                   
permit ip host 129.100.100.3    10.10.200.64    0.0.0.63                   
permit ip host 129.100.100.4    10.10.200.64    0.0.0.63                   
permit ip host 129.100.100.5    10.10.200.64    0.0.0.63                   
permit ip host 129.100.100.6    10.10.200.64    0.0.0.63                   
permit ip host 129.100.100.7    10.10.200.64    0.0.0.63

Hope that helps.

Thanks

Rizwan Rafeek

0 Helpful

derict
Level 1
Level 1
In response to rizwanr74

‎04-17-2013 10:55 AM

Hi Rizwan,

I can't specify host by host because i have more than 250 STATIC NAT running. I will try with network range and see if its working.

0 Helpful

rizwanr74
Level 7
Level 7
In response to derict

‎04-17-2013 11:07 AM

Hi Derict

Also please do not forget to add the deny lines in your ACL100, you need them as well.  Sure you can summarize the ip range as well the public address in the ACLs.

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.1

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.2

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.3

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.4

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.5

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.6

deny ip 10.10.200.64 0.0.0.63 host 129.100.100.7

Thanks

0 Helpful

derict
Level 1
Level 1
In response to rizwanr74

‎04-18-2013 12:35 AM

Hi Rizwan, i've tested but it still failed.

Hi All experts, i've attached the current configuration. Hope i can get some feedback from you all on this.

15358857-20130422 cisco router.txt.zip
0 Helpful

derict
Level 1
Level 1
In response to derict

‎04-22-2013 06:22 PM

anyone can advise on this ??

0 Helpful

derict
Level 1
Level 1
In response to derict

‎04-26-2013 02:13 AM

Any guru out there that can help me on this?

0 Helpful

rizwanr74
Level 7
Level 7
In response to derict

‎04-26-2013 08:05 AM

Hi Derict,

Please add two below permit lines in the acl 120.

access-list 120 permit ip 139.178.172.0 0.0.0.255 10.10.150.64 0.0.0.63

access-list 120 permit ip 139.178.173.0 0.0.0.63 10.10.150.64 4 0.0.0.63

I would strongly recommand that you change the "adjust-mss 1452" on inside interface, otherwise some servers could drops TCP handshake for vpn-clients, this also could be a contributor.

!--- The TCP MSS command requires an MSS for inside interface not 1500 it should be 1452.

interface GigabitEthernet0/1

ip adjust-mss 1452


thanks

Rizwan Rafeek


.

Message was edited by: Rizwan Mohamed

0 Helpful
Customers Also Viewed These Support Documents