Dear Friend,

arumugasamy · ‎02-06-2016

Team,

I need you support immediately since this issue is now pending to be resolved to one of our customer

There are some of the servers that are natted statically in router as below

!

ip nat inside source static tcp 192.21.1.18 3389 18.19.20.21 3389 extendable

ip nat inside source static tcp 192.21.1.83 443 18.19.20.22 443 extendable

!

Below is the remote access vpn split ACL

ip access-list extended ACL_SPLIT_VPN
permit ip 192.21.1.0 0.0.0.255 172.31.9.0 0.0.0.255
permit ip 192.21.4.0 0.0.0.255 172.31.9.0 0.0.0.255
permit ip host 192.21.2.120 172.31.9.0 0.0.0.255

!

after connecting to the remote access vpn, the user got the ip in 192.31.9.0/24 subnet as below

ip local pool POOL_CLIENT_VPN 192.31.9.5 172.31.9.25

!

with that IP the vpn user can ping the server 192.21.1.18 but can not RDP to it because 3380 RDP is static Natted. so VPN users can not.

!

For normal Internet access, NAT config as below

ip nat inside source list ACL_NAT_NET interface GigabitEthernet0/0/0 overload

ip access-list extended ACL_NAT_NET
remark ACL for Servers to get Internet
deny ip host 192.21.1.30 any
deny ip host 192.21.9.10 any
deny ip host 192.21.9.11 any
deny ip host 192.21.1.25 any
deny ip host 192.21.1.26 any
deny ip host 192.21.2.93 any
deny ip any 192.21.9.0 0.0.0.255
deny ip any 192.31.9.0 0.0.0.255
deny ip any 192.168.1.0 0.0.0.255
deny ip any host 192.168.83.4
deny ip any host 192.168.83.36
deny ip any 192.26.3.0 0.0.0.255
deny ip any 192.21.50.0 0.0.0.255
permit ip host 192.21.1.10 any
permit ip host 192.21.1.11 any
permit ip host 192.21.1.17 any
permit ip host 192.21.1.19 any
permit ip host 192.21.1.28 any
permit ip host 192.21.1.46 any
permit ip host 192.21.1.101 any
permit ip host 192.21.1.102 any
permit ip host 192.21.1.111 any
permit ip host 192.21.1.16 any
permit ip host 192.21.2.62 any
permit ip 192.21.5.128 0.0.0.63 any
permit ip 192.21.15.128 0.0.0.63 any
deny ip any any

Remore vpn user ip after login to

192.31.9.17

ping 192.21.1.18 - ok

telnet 192.21.1.18 3389 - not ok

mvsheik123 · ‎02-06-2016

Hello,

Looks like the Remote client IP address range is :192.31.9.5 192.31.9.25.

However, your posting showing it as : 192.31.9.5 172.31.9.25

Also, Split ACLs showing 172.31.9.x range. Make sure your router configured with correct address.

Check the below links for basic configurations:

http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

hth

MS

arumugasamy · ‎02-06-2016

Dear Friend,

Thanks for your response. Pls find some correction in my posting

Remote client IP address range is :192.31.9.5 192.31.9.25.

ip access-list extended ACL_SPLIT_VPN
permit ip 192.21.1.0 0.0.0.255 192.31.9.0 0.0.0.255
permit ip 192.21.4.0 0.0.0.255 192.31.9.0 0.0.0.255
permit ip host 192.21.2.120 192.31.9.0 0.0.0.255

!

Remote VPN users are getting the IP from 192.31.9.0/24 subnets.

Split vpn is as above from Inside source subnets of 192.21.1.0/24, 192.21.4.0/24,192.21.2.120/32

to remote vpn pool 192.31.9.0/24

!

we need to alter the existing ip nat using some sort of route-map to exclude the vpn traffic from the normal Internet access subnets.

pls advice .

Thx

mvsheik123 · ‎02-08-2016

Hi,

Did you check the link I provided? Also, 'google' for more examples.If you still have issues, post your router config and someone will be able to help you definitely.

Thx

MS

Remote Access VPN users are not able to connect to the servers that are statically Natted