08-19-2011 02:58 PM
I have a Cisco 2911 router configured with a couple of VPN tunnels . The issue that I am having is that I cannot access the servers (WEB,EMIL) thru the tunnel . After looking around found out that adding a route-map to my static NAT rule will fix the issue .
Once I do that I am able to access the serves thru the VPN but my local machines lose internet access .
So I have to delete the access list
The issue seems to be with the
Access list 110 permit ip host<server ip> any
Thx
Here is the relevant config
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.20.21.228 80 74.119.152.20 80 extendable
ip nat inside source static tcp 172.20.21.228 443 74.119.152.20 443 extendable
ip nat inside source static tcp 172.20.21.228 5721 74.119.152.20 5721 extendable
ip nat inside source static udp 172.20.21.228 5721 74.119.152.20 5721 extendable
ip nat inside source static tcp 192.168.20.27 25 74.119.152.21 25 route-map SBS2008_AKOYA_NAT extendable
ip nat inside source static tcp 192.168.20.27 80 74.119.152.21 80 route-map SBS2008_AKOYA_NAT extendable
ip nat inside source static tcp 192.168.20.27 442 74.119.152.21 442 route-map SBS2008_AKOYA_NAT extendable
ip nat inside source static tcp 192.168.20.27 443 74.119.152.21 443 route-map SBS2008_AKOYA_NAT extendable
ip nat inside source static tcp 192.168.20.27 3389 74.119.152.21 3389 route-map SBS2008_AKOYA_NAT extendable
ip nat inside source static tcp 172.20.21.226 4158 74.119.152.22 4158 extendable
ip nat inside source static tcp 172.20.21.226 6051 74.119.152.22 6051 extendable
ip nat inside source static tcp 172.20.21.32 80 74.119.152.29 80 extendable
ip nat inside source static tcp 172.20.21.32 443 74.119.152.29 443 extendable
ip nat inside source static 172.20.21.3 74.119.152.30
ip route 0.0.0.0 0.0.0.0 74.119.152.1 10
ip route 172.20.254.0 255.255.255.0 172.20.21.3 5
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 172.20.21.0 0.0.0.255
access-list 23 permit 192.168.20.0 0.0.0.255
access-list 23 permit 172.20.21.0 0.0.0.255
access-list 23 permit 172.20.0.0 0.0.0.255
access-list 102 deny ip 192.168.20.0 0.0.0.255 172.20.24.0 0.0.0.255
access-list 102 deny ip 172.20.21.0 0.0.0.255 172.20.24.0 0.0.0.255
access-list 102 deny ip 172.20.21.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 102 permit ip 172.20.21.0 0.0.0.255 any
access-list 102 permit ip 192.168.20.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 172.20.21.0 0.0.0.255 172.20.24.0 0.0.0.255
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.20.0 0.0.0.255 172.20.24.0 0.0.0.255
access-list 107 remark Office 2 Data Center VPN
access-list 107 permit ip 172.20.21.0 0.0.0.255 172.20.0.0 0.0.0.255
access-list 110 remark SBS2008_AKOYA_NAT Exeption
access-list 110 deny ip host 192.168.20.27 172.20.24.0 0.0.0.255
access-list 110 permit ip host 192.168.20.27 any
!
!
!
!
route-map SBS2008_AKOYA_NAT permit 1
match ip address 110
!
route-map SDM_RMAP_1 permit 1
match ip address 102
08-19-2011 05:00 PM
When you say "your local machines" lost internet access, can you please elaborate which subnet or ip address? Would it be just the 192.168.20.27 loosing internet access, or all internal hosts loose internet access?
If it's all internal hosts loosing internet access, that does not make sense, because they should be using "
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload" and the route map is different to the static PAT route-map.
All NAT statements have been correctly configured btw.
I would try to clear all the NAT translation table once you have created the new NAT statement, and see if it works both from internally and from the VPN.
08-19-2011 05:55 PM
Yes I stand corrected . I did run a couple of test and only 192.168.20.27 is losing internet connection.
Any suggestions ?
08-19-2011 06:19 PM
Route-map on static PAT seems to be a new feature as I know for a long time route-map on static PAT is not supported. Route-map is only supported on static NAT originally.
It is worth opening up a TAC case to further troubleshoot the issue, as I am suspecting, it might be a bug. As far as the configuration is concern, it looks absolutely correct to me.
08-19-2011 08:13 PM
I think there is a bug with route-maps or something . I totally deleted access-list 110 and everything works .So the route-map points to an access-list that do not exist. Just by adding the route-map in the static NAT it causes it to work properly. Something dose not add up
I can access the server thru the VPN tunnel and also can access internet from the server
If I remove the route-map from the static rule the server is accessible from the outside but not thru the tunnel
If I add that with no access-list everything works
Once I add the access list it works all the way up till I add the access-list 110 permit ip host 192.168.20.27 any
That stops the server from accessing the internet .
I will try TAC see what they say …
Very weird
08-19-2011 08:48 PM
Levi,
In case that you want to access the internal server by its real IP address and not by the translated IP, a route-map must be configured, you define an ACL allowing the traffic from the server in question to the VPN pool and then assign this ACL to your route-map (these are the recommended settings when static rules are in place).
The next step is to create a loopback and define a ramdon IP address, something like 1.1.1.1/30, then you define 1.1.1.2 as the next-hop in your route-map.
Once you have all this ready, apply the new route-map to the interface where the server is coming from and that should bypass the static translation for the VPN traffic, the rest will work as usual, for instance:
1- Remote VPN network / Pool = 192.168.10.0/24
2- Server IP address = 192.168.1.254
access-list NONAT_VPN permit ip host 192.168.254 192.168.10.0 0.0.0.255
!
interface loopback 0
ip address 1.1.1.1 255.255.255.252
!
route-map INSIDE_VPN_NONAT permit 10
set ip next-hop 1.1.1.2
match address NONAT_VPN
!
interface g0/0
ip policy route-map INSIDE_VPN_NONAT
!
Please let me know what your thoughts are about it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: