Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
0
Helpful
5
Replies

Site to Site VPN,Local Server Acces Inetrnet

Levi Kadar
Level 1
Level 1

‎08-19-2011 02:58 PM

I have a Cisco 2911 router configured with a couple of VPN tunnels . The issue that I am having is that I cannot access the servers (WEB,EMIL) thru the tunnel . After looking around found out that adding a route-map to my static NAT rule will fix the issue .

Once I do that I am able to access the serves thru the VPN but my local machines lose internet access .

So I have to delete the access list

The issue seems to be with the

Access list 110 permit ip host<server ip> any

Thx

Here is the relevant config

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 172.20.21.228 80 74.119.152.20 80 extendable

ip nat inside source static tcp 172.20.21.228 443 74.119.152.20 443 extendable

ip nat inside source static tcp 172.20.21.228 5721 74.119.152.20 5721 extendable

ip nat inside source static udp 172.20.21.228 5721 74.119.152.20 5721 extendable

ip nat inside source static tcp 192.168.20.27 25 74.119.152.21 25 route-map SBS2008_AKOYA_NAT extendable

ip nat inside source static tcp 192.168.20.27 80 74.119.152.21 80 route-map SBS2008_AKOYA_NAT extendable

ip nat inside source static tcp 192.168.20.27 442 74.119.152.21 442 route-map SBS2008_AKOYA_NAT extendable

ip nat inside source static tcp 192.168.20.27 443 74.119.152.21 443 route-map SBS2008_AKOYA_NAT extendable

ip nat inside source static tcp 192.168.20.27 3389 74.119.152.21 3389 route-map SBS2008_AKOYA_NAT extendable

ip nat inside source static tcp 172.20.21.226 4158 74.119.152.22 4158 extendable

ip nat inside source static tcp 172.20.21.226 6051 74.119.152.22 6051 extendable

ip nat inside source static tcp 172.20.21.32 80 74.119.152.29 80 extendable

ip nat inside source static tcp 172.20.21.32 443 74.119.152.29 443 extendable

ip nat inside source static 172.20.21.3 74.119.152.30

ip route 0.0.0.0 0.0.0.0 74.119.152.1 10

ip route 172.20.254.0 255.255.255.0 172.20.21.3 5

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 172.20.21.0 0.0.0.255

access-list 23 permit 192.168.20.0 0.0.0.255

access-list 23 permit 172.20.21.0 0.0.0.255

access-list 23 permit 172.20.0.0 0.0.0.255

access-list 102 deny   ip 192.168.20.0 0.0.0.255 172.20.24.0 0.0.0.255

access-list 102 deny   ip 172.20.21.0 0.0.0.255 172.20.24.0 0.0.0.255

access-list 102 deny   ip 172.20.21.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 102 permit ip 172.20.21.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

access-list 105 remark CCP_ACL Category=4

access-list 105 remark IPSec Rule

access-list 105 permit ip 172.20.21.0 0.0.0.255 172.20.24.0 0.0.0.255

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 192.168.20.0 0.0.0.255 172.20.24.0 0.0.0.255

access-list 107 remark Office 2 Data Center VPN

access-list 107 permit ip 172.20.21.0 0.0.0.255 172.20.0.0 0.0.0.255

access-list 110 remark SBS2008_AKOYA_NAT Exeption

access-list 110 deny   ip host 192.168.20.27 172.20.24.0 0.0.0.255

access-list 110 permit ip host 192.168.20.27 any

!

!

!

!

route-map SBS2008_AKOYA_NAT permit 1

match ip address 110

!

route-map SDM_RMAP_1 permit 1

match ip address 102

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-19-2011 05:00 PM

When you say "your local machines" lost internet access, can you please elaborate which subnet or ip address? Would it be just the 192.168.20.27 loosing internet access, or all internal hosts loose internet access?

If it's all internal hosts loosing internet access, that does not make sense, because they should be using "

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload" and the route map is different to the static PAT route-map.

All NAT statements have been correctly configured btw.

I would try to clear all the NAT translation table once you have created the new NAT statement, and see if it works both from internally and from the VPN.

0 Helpful

Levi Kadar
Level 1
Level 1
In response to Jennifer Halim

‎08-19-2011 05:55 PM

Yes I stand corrected . I did run a couple of test and only 192.168.20.27 is losing internet connection.

Any suggestions ?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Levi Kadar

‎08-19-2011 06:19 PM

Route-map on static PAT seems to be a new feature as I know for a long time route-map on static PAT is not supported. Route-map is only supported on static NAT originally.

It is worth opening up a TAC case to further troubleshoot the issue, as I am suspecting, it might be a bug. As far as the configuration is concern, it looks absolutely correct to me.

0 Helpful

Levi Kadar
Level 1
Level 1
In response to Jennifer Halim

‎08-19-2011 08:13 PM

I think there is a bug with route-maps or something . I totally deleted access-list 110 and everything works .So the route-map points to an access-list that do not exist. Just by adding the route-map in the static NAT it causes it to work properly. Something dose not add up

I can access the server thru the VPN tunnel and also can access internet from the server

If I remove the route-map from the static rule the server is accessible from the outside but not thru the tunnel

If I add that with no access-list everything works

Once I add the access list it works all the way up till I add the access-list 110 permit ip host 192.168.20.27 any

That stops the server from accessing the internet .

I will try TAC see what they say …

Very weird

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Levi Kadar

‎08-19-2011 08:48 PM

Levi,

In case that you want to access the internal server by its real IP address and not by the translated IP, a route-map must be configured, you define an ACL allowing the traffic from the server in question to the VPN pool and then assign this ACL to your route-map (these are the recommended settings when static rules are in place).

The next step is to create a loopback and define a ramdon IP address, something like 1.1.1.1/30,  then you define 1.1.1.2 as the next-hop in your route-map.

Once you have all this ready, apply the new route-map to the interface where the server is coming from and that should bypass the static translation for the VPN traffic, the rest will work as usual, for instance:

1- Remote VPN network / Pool = 192.168.10.0/24

2- Server IP address = 192.168.1.254

access-list NONAT_VPN permit ip host 192.168.254 192.168.10.0 0.0.0.255

!

interface loopback 0

     ip address 1.1.1.1 255.255.255.252

!

route-map INSIDE_VPN_NONAT permit 10

     set ip next-hop 1.1.1.2

     match address NONAT_VPN

!

interface g0/0

     ip policy route-map INSIDE_VPN_NONAT

!

Please let me know what your thoughts are about it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents