01-29-2007 09:59 AM - edited 02-21-2020 02:50 PM
Hope someone can help. Trying to setup a VPN between my two sites using 1800 series routers. I used SDM to setup the router. The problem is this, I can ping a device at the remote LAN from any workstation, but if I ping from one of my servers which have a Static NAT entry, I cannot.
Thanks
01-29-2007 10:54 AM
Hi
If you are not natting your workstations but are Natting your servers have you include the Natted address for the servers in your access-list that defines interesting traffic for the VPN.
If possible could you post configs with any sensitive info removed.
HTH
Jon
01-29-2007 11:08 AM
01-29-2007 11:55 AM
Hi
Looking at your config here's what i think is happening.
1) You have a natpool defined for your workstations.
2) This natpool is tied to a route-map. The route-map says don't use this NAT pool for any traffic from
192.168.1.0/24 to 192.168.2.0/24 &
192.168.1.0/24 to 192.168.3.0/24
3) 192.168.2.0 & 192.168.3.0/24 are the remote subnets at the end of your IPSEC vpns.
So when your workstations send traffic to either 192.168.2.0/24 or 192.168.3.0/24 they don't get natted.
Your servers however are statically natted so they do get natted. The nat takes place before the traffic gets matched against the VPN traffic and your VPN traffic is defined
192.168.1.0/24 -> 192.168.2.0/24 (access-list 103)
192.168.1.0/24 -> 192.168.3.0/24 (access-list 105).
The servers will never match these access-lists.
On a pix/ASA device you could exclude the servers from being NATTED if they are going down the VPN. You could try applying a route-map to the static NAT statements, saying only NAT the servers if they are not going to 192.168.2.0/24 or 192.168.3.0/24 but i'm not sure this will work. (I can check tomorrow when i'm back in work but you could try anyway).
If this doesn't work what you could do is expand access-list 103 & 105 to include the NATTED server IP addresses. You will need to make sure the access-lists are also modified on the remote site routers.
HTH
Jon
01-29-2007 12:07 PM
Thanks Jon,
I think you're looking in the right direction. That's what I thought, I'll see what I can come up, but please do check when you get back to work, I would greatly appreciate it!
Thanks again.
01-29-2007 01:12 PM
I found documentation that says I can enter "route-map" at the end of the static entry.
For example...
ip nat inside source static 192.168.1.3 "ip-removed" route-map SDM_RMAP_1
that should make the traffic for the static NAT look at the "SDM_RMAP_1" ACL.
I'll give it a try tonight.
01-29-2007 11:24 PM
Okay. Let me know how it goes :-)
01-30-2007 05:32 AM
Nah, that didn't work either. Don't understand this. I do work for another company that uses 2600 series and the config is almost identical except for a virtual interface and that router is connecting to a Linksys.
Very strange. Please let me know what you find out.
01-30-2007 10:30 AM
Hi
Bad news. Did you try adding just one of the servers public IP addresses into your crypto map access-list on the devices at both ends ?
Jon
01-30-2007 05:38 PM
Looks like it did work. Along with pinging FROM a server that was natted, I was also pinging TO a server that was natted on the remote LAN and I had not added the route-map command on that static NAT.
Thanks again for your help!
Bob M.
01-31-2007 12:31 AM
And just when i had it all setup to test :-)
No problem, glad it worked
Jon
01-31-2007 05:30 AM
Sorry about that!
I don't understand why SDM can make the neccessary NAT change for the address pool when setting up but not for static entries.
02-03-2007 03:36 PM
whoops,
thought we solved the problem, but not so quick. looks like I can ping from site to site, but that's all I can do. Can't get to remote servers, websites, printers, etc.
Any ideas why I'm having this problem?
02-05-2007 01:33 PM
Hi
Are you running CBAC on the remote 1800. Can you send me the config for the remote site as well.
It might be what you have in your access-list on the outside interface of your remote router. Remember you need to allow the traffic through on this access-list and you need to refer to the correct IP addresses.
Jon
02-05-2007 04:43 PM
Hi Jon,
Turned out to be a mtu issue. Added the "crypto ipsec df-bit clear" in global and now I can access remote subnets with no problems.
I do have one last problem and that is, I cannot VPN to an internal Windows Server using PPTP. Internet access to NAT'ed www, mail, dns, etc all working perfectly. Can't seem to figure this one out. I've tried just about everything.
Here is my current config at one of my locations.
Thanks again Jon and if you see any other issues, please do let me know.
Bob M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide