04-17-2013 07:15 AM
Hi All,
I have a situation where i need to NAT all the Server IP in LAN to another IP range due to NSOC monitoring. On top of that, i need to create a Client VPN setup at the same router. I managed to configure it, but not able to PING any of the internal IP (all range). I found out it was due to the STATIC NAT i specified for the NSOC VPN tunnel.
My Q is, is there any workaround to disable any NAT for VPN client or we can still establish the CLIENT VPN but mobile user need to access server with the NATted IP?
My revised configuration as per below;
interface GigabitEthernet0/0
description ### WAN connection###
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.500
description ### Connection to WAN ###
encapsulation dot1Q 500
ip virtual-reassembly
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0/1
description ### Connection to LAN ###
ip address 10.10.200.2 255.255.255.192
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Dialer1
description PPPOE Config
mtu 1492
ip address 202.188.1.5 255.255.255.248
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname PPPOE@UNIFI
ppp chap password 7 asdkuadhwekdejkdjae
ppp pap sent-username PPPOE@UNIFI password 7 asdkuadhwekdejkdjae
crypto map NSOC
!
ip nat inside source list 100 interface Dialer1 overload
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key NSOCKEY address 8.8.8.8
!
crypto ipsec transform-set VPNUMW esp-3des esp-md5-hmac
!
crypto map NSOC 20 ipsec-isakmp
set peer 8.8.8.8
set transform-set VPNSET
match address NSOC
!
ip nat inside source static 192.168.1.1 129.100.100.1 extendable
ip nat inside source static 192.168.2.1 129.100.100.2 extendable
ip nat inside source static 192.168.11.1 129.100.100.3 extendable
ip nat inside source static 10.10.10.1 129.100.100.4 extendable
ip nat inside source static 10.10.10.200 129.100.100.5 extendable
ip nat inside source static 192.168.15.1 129.100.100.6 extendable
ip nat inside source static 192.168.17.1 129.100.100.7 extendable
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 10.10.200.1
ip route 192.168.0.0 255.255.0.0 10.10.200.1
!
ip access-list extended NSOC
permit ip 129.100.100.0 0.0.0.255 188.111.10.0 0.0.0.255
!
access-list 100 remark INTERNET
access-list 100 permit ip 10.10.200.0 0.0.0.63 any
access-list 100 remark INTERNET
!
Above is the current config. I've tested the following CLIENT VPN configuration but its not working.
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group clientvpn
key remotevpn
pool VPN-Pool
acl VPNCLIENT
!
ip local pool VPN-Pool 10.10.200.65 10.10.200.126
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
crypto map NSOC client authentication list userauthen
crypto map NSOC isakmp authorization list groupauthor
crypto map NSOC client configuration address respond
crypto map NSOC 10 ipsec-isakmp dynamic dynmap
!
!
access-list 101 permit ip 10.10.200.0 0.0.0.63 10.10.200.64 0.0.0.63
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.200.64 0.0.0.63
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.10.200.64 0.0.0.63
!
access-list 100 remark INTERNET
access-list 100 deny ip 10.10.100.0 0.0.0.63 10.10.100.64 0.0.0.63
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.100.64 0.0.0.63
access-list 100 deny ip 192.168.0.0 0.0.255.255 10.10.100.64 0.0.0.63
access-list 100 permit ip 10.10.100.0 0.0.0.63 any
access-list 100 remark INTERNET
!
Hope someone can help or give some idea on this.
Thank you.
04-17-2013 08:22 AM
"My Q is, is there any workaround to disable any NAT for VPN client or we can still establish the CLIENT VPN but mobile user need to access server with the NATted IP?"
Hi Derict,
What you need to create is no-nat between your VPN-dhcp-pool address range and public IPs, for which traffic is coming in.
Please follow the example below.
ip access-list extended no-nat
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.1
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.2
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.3
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.4
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.5
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.6
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.7
ip nat inside source list no-nat interface Dialer1 overload
At last be sure to include any internal subnet need access to internet as a permit line in the acl: no-nat example below.
permit ip 10.100.0.0 0.0.255.255 any
FYI...
Deny lines must come before the permit line in the overload command.
Hope that helps.
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
04-17-2013 09:40 AM
Hi Rizwan,
Thank you for your advise, i've actually tested with NO-NAT before but its not working. I did test it again with your advise but still fail.
In fact, if i added my router interface IP as one of the STATIC NAT as per below, i can't ping after i connected through VPN too. But, if i removed it, i can PING ..
ip nat inside source static 10.10.200.2 129.100.100.8 extendable
I know my problem is with the STATIC NAT... Anymore suggestion?
04-17-2013 09:52 AM
Hi Derict,
Can you please post the acl:VPNCLIENT
04-17-2013 10:04 AM
Hi Rizwan,
That is a typo, in fact the VPNCLIENT = 101
access-list 101 permit ip 10.10.200.0 0.0.0.63 10.10.200.64 0.0.0.63
access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.200.64 0.0.0.63
access-list 101 permit ip 192.168.0.0 0.0.255.255 10.10.200.64 0.0.0.63
It is defined for SPLITTUNNELING only ..
04-17-2013 10:46 AM
Hi Derict,
You need to below permits line in the ACL:VPNCLIENT
permit | ip | host | 129.100.100.1 | 10.10.200.64 | 0.0.0.63 |
permit | ip | host | 129.100.100.2 | 10.10.200.64 | 0.0.0.63 |
permit | ip | host | 129.100.100.3 | 10.10.200.64 | 0.0.0.63 |
permit | ip | host | 129.100.100.4 | 10.10.200.64 | 0.0.0.63 |
permit | ip | host | 129.100.100.5 | 10.10.200.64 | 0.0.0.63 |
permit | ip | host | 129.100.100.6 | 10.10.200.64 | 0.0.0.63 |
permit | ip | host | 129.100.100.7 | 10.10.200.64 | 0.0.0.63 |
permit ip host 129.100.100.1 10.10.200.64 0.0.0.63
permit ip host 129.100.100.2 10.10.200.64 0.0.0.63
permit ip host 129.100.100.3 10.10.200.64 0.0.0.63
permit ip host 129.100.100.4 10.10.200.64 0.0.0.63
permit ip host 129.100.100.5 10.10.200.64 0.0.0.63
permit ip host 129.100.100.6 10.10.200.64 0.0.0.63
permit ip host 129.100.100.7 10.10.200.64 0.0.0.63
Hope that helps.
Thanks
Rizwan Rafeek
04-17-2013 10:55 AM
Hi Rizwan,
I can't specify host by host because i have more than 250 STATIC NAT running. I will try with network range and see if its working.
04-17-2013 11:07 AM
Hi Derict
Also please do not forget to add the deny lines in your ACL100, you need them as well. Sure you can summarize the ip range as well the public address in the ACLs.
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.1
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.2
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.3
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.4
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.5
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.6
deny ip 10.10.200.64 0.0.0.63 host 129.100.100.7
Thanks
04-18-2013 12:35 AM
04-22-2013 06:22 PM
anyone can advise on this ??
04-26-2013 02:13 AM
Any guru out there that can help me on this?
04-26-2013 08:05 AM
Hi Derict,
Please add two below permit lines in the acl 120.
access-list 120 permit ip 139.178.172.0 0.0.0.255 10.10.150.64 0.0.0.63
access-list 120 permit ip 139.178.173.0 0.0.0.63 10.10.150.64 4 0.0.0.63
I would strongly recommand that you change the "adjust-mss 1452" on inside interface, otherwise some servers could drops TCP handshake for vpn-clients, this also could be a contributor.
!--- The TCP MSS command requires an MSS for inside interface not 1500 it should be 1452.
interface GigabitEthernet0/1
ip adjust-mss 1452
thanks
Rizwan Rafeek
.
Message was edited by: Rizwan Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide