Static NAT issue on an ISR 4431

hgoshev · ‎09-28-2017

Greetings, fellow network engineers,

After upgrading from a 2851 to a 4431 ISR and migrating the configuration, I have been struggling with getting PPTP VPN to work from the outside. I have an internal Windows-based VPN server with an IP address of 10.14.0.249; 78.83.101.236 is the public IP address that is dedicated to VPN clients, and 78.83.101.234 is the one I use for all other purposes.

When a PPTP client tries to connect, I am getting hits on port 1723 on 78.83.101.236 in the InternetAccess acl, however no packets seem to reach the server. That makes me think that my static NAT mapping is no longer functioning correctly. Here is the part of the configuration pertaining to this:

interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.20
description Internal
encapsulation dot1Q 20
ip address 10.14.0.1 255.255.252.0
ip nat inside
!
interface GigabitEthernet0/0/1.3419
description External
encapsulation dot1Q 3419
ip address 78.83.101.235 255.255.255.248 secondary
ip address 78.83.101.236 255.255.255.248 secondary
ip address 78.83.101.234 255.255.255.248
ip nat outside
ip access-group InternetAccess in
!
ip nat inside source static 10.14.0.249 78.83.101.236 extendable
ip nat inside source route-map MainISP interface GigabitEthernet0/0/1.3419 overload
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 78.83.101.233 2
!
route-map MainISP permit 10
match ip address 120
match interface GigabitEthernet0/0/1.3419
!
ip access-list extended InternetAccess
permit tcp any host 78.83.101.236 eq 1723 log
permit udp any host 78.83.101.236 eq 1723 log
permit gre any any log
permit tcp any host 78.83.101.236 eq 443
deny tcp any any eq www
deny tcp any any eq 5061 log
deny tcp any any eq 22
deny tcp any any eq 443
deny tcp any any eq ftp
deny udp any any eq tftp
deny tcp any any eq 8000
deny tcp any any eq 1040
deny tcp any any eq 2000
deny udp any any eq 2000
deny tcp any any eq 1720 log
deny tcp any any eq 1719
deny tcp any any eq 11719
deny tcp any any eq 11720
deny udp any any eq 1720
deny tcp any any eq 5060
deny udp any any eq 5060
deny udp any any eq 2427
deny udp any any eq 2428
deny tcp any any eq 2428
deny tcp any any eq 2427
deny udp any any eq 23
deny ip any host 78.83.101.236
permit ip any any
!
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.10.0.0 0.0.255.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.10.0.0 0.0.255.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 192.168.50.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 192.168.50.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.200.1.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.200.1.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.100.0.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.100.102.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.100.103.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.100.0.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.100.102.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.100.103.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.15.0.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.15.0.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.8.0 0.0.1.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.12.0 0.0.3.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.24.0 0.0.0.127
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.8.0 0.0.1.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.12.0 0.0.3.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.24.0 0.0.0.127
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.32.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.32.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.36.0 0.0.3.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.36.0 0.0.3.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.40.0 0.0.1.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.40.0 0.0.1.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.16.0 0.0.1.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.16.0 0.0.1.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.20.4.0 0.0.1.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.3.1.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.3.1.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.20.4.0 0.0.1.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.2.1.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.30.0.0 0.0.0.255
access-list 120 deny ip 10.14.4.0 0.0.3.255 10.30.0.0 0.0.0.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.4.0.0 0.0.255.255
access-list 120 deny ip 10.14.0.0 0.0.3.255 10.0.0.0 0.0.255.255
access-list 120 permit ip 10.14.0.0 0.0.3.255 any
access-list 120 permit ip 10.14.4.0 0.0.3.255 any

I am currently using:
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)

I appreciate your assistance with this!