02-06-2016 06:29 AM - edited 02-21-2020 08:40 PM
Team,
I need you support immediately since this issue is now pending to be resolved to one of our customer
There are some of the servers that are natted statically in router as below
!
ip nat inside source static tcp 192.21.1.18 3389 18.19.20.21 3389 extendable
ip nat inside source static tcp 192.21.1.83 443 18.19.20.22 443 extendable
!
Below is the remote access vpn split ACL
ip access-list extended ACL_SPLIT_VPN
permit ip 192.21.1.0 0.0.0.255 172.31.9.0 0.0.0.255
permit ip 192.21.4.0 0.0.0.255 172.31.9.0 0.0.0.255
permit ip host 192.21.2.120 172.31.9.0 0.0.0.255
!
after connecting to the remote access vpn, the user got the ip in 192.31.9.0/24 subnet as below
ip local pool POOL_CLIENT_VPN 192.31.9.5 172.31.9.25
!
with that IP the vpn user can ping the server 192.21.1.18 but can not RDP to it because 3380 RDP is static Natted. so VPN users can not.
!
For normal Internet access, NAT config as below
ip nat inside source list ACL_NAT_NET interface GigabitEthernet0/0/0 overload
ip access-list extended ACL_NAT_NET
remark ACL for Servers to get Internet
deny ip host 192.21.1.30 any
deny ip host 192.21.9.10 any
deny ip host 192.21.9.11 any
deny ip host 192.21.1.25 any
deny ip host 192.21.1.26 any
deny ip host 192.21.2.93 any
deny ip any 192.21.9.0 0.0.0.255
deny ip any 192.31.9.0 0.0.0.255
deny ip any 192.168.1.0 0.0.0.255
deny ip any host 192.168.83.4
deny ip any host 192.168.83.36
deny ip any 192.26.3.0 0.0.0.255
deny ip any 192.21.50.0 0.0.0.255
permit ip host 192.21.1.10 any
permit ip host 192.21.1.11 any
permit ip host 192.21.1.17 any
permit ip host 192.21.1.19 any
permit ip host 192.21.1.28 any
permit ip host 192.21.1.46 any
permit ip host 192.21.1.101 any
permit ip host 192.21.1.102 any
permit ip host 192.21.1.111 any
permit ip host 192.21.1.16 any
permit ip host 192.21.2.62 any
permit ip 192.21.5.128 0.0.0.63 any
permit ip 192.21.15.128 0.0.0.63 any
deny ip any any
Remore vpn user ip after login to
192.31.9.17
ping 192.21.1.18 - ok
telnet 192.21.1.18 3389 - not ok
02-06-2016 06:49 PM
Hello,
Looks like the Remote client IP address range is :192.31.9.5 192.31.9.25.
However, your posting showing it as : 192.31.9.5 172.31.9.25
Also, Split ACLs showing 172.31.9.x range. Make sure your router configured with correct address.
Check the below links for basic configurations:
http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
hth
MS
02-06-2016 09:44 PM
Dear Friend,
Thanks for your response. Pls find some correction in my posting
Remote client IP address range is :192.31.9.5 192.31.9.25.
ip access-list extended ACL_SPLIT_VPN
permit ip 192.21.1.0 0.0.0.255 192.31.9.0 0.0.0.255
permit ip 192.21.4.0 0.0.0.255 192.31.9.0 0.0.0.255
permit ip host 192.21.2.120 192.31.9.0 0.0.0.255
!
Remote VPN users are getting the IP from 192.31.9.0/24 subnets.
Split vpn is as above from Inside source subnets of 192.21.1.0/24, 192.21.4.0/24,192.21.2.120/32
to remote vpn pool 192.31.9.0/24
!
we need to alter the existing ip nat using some sort of route-map to exclude the vpn traffic from the normal Internet access subnets.
pls advice .
Thx
02-08-2016 07:48 PM
Hi,
Did you check the link I provided? Also, 'google' for more examples.If you still have issues, post your router config and someone will be able to help you definitely.
Thx
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide