Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
4
Replies

VPN and internal adddress' with NAT translation

Alistair-Roberts
Level 1
Level 1

‎11-03-2002 04:02 PM - edited ‎02-21-2020 12:09 PM

Hi,

We have a Cisco 1720 with PXI & VPN. I've noticed that we logged in to the VPN from a remote site (e.g Home). I can't ping or get access to servers that have a NAT translation on them. E.g

ip nat inside source static A.B.C.D W.X.Y.Z

I can't ping the internal A.B.C.D address. Any changes that I can make to fix this. As one of the address is the Active Directory server.

Thanks

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎11-03-2002 04:09 PM

Follow the sample config here (http://www.cisco.com/warp/public/707/static.html). Read the instructions on why a loopback and policy routing is required on the "daphne" router.

Basically you normally bypass NAT for hte IPSec traffic, this is done using a route-map in your nat statement. However, when you have a static translation set up, that is not bypassed with your NAT route-map cause it's a separate command. For the statics, you still need to bypass NAT, and the way to do this is to create a loopback address with any address on it, and then policy route traffic for the static through this loopback interface. Because the traffic comes in on the "ip nat inside" interface, then through the loopback interface which has no nat configuration on it, then out the "ip nat outside" interface, NAT is actually bypassed and everything works.

It may seem confusing, but if you think through it logically it makes sense.

0 Helpful

jeff_caprock
Level 1
Level 1

‎11-03-2002 05:12 PM

I just got done with the exact same problem, and the fix was not obscure, but brain rattling until we figured it out. I'm making the presumption that this is a vpn client pc connecting to the edge router? The attached config is just such a sample that doesn't exist on TAC. The main problem is that the vpn configs, while correct, doesn't say that any existing NAT statements for the inside to outside must be first removed _before_ using the sample config! There can be only _one_ NAT statement for inside addresses headed to the outside, and it is this part of the config that uses the nonat route map.

Take a look at this config, and let me know if you still have questions. My TAC engineer told me that this config might wind up as a new TAC-tested config, it works perfectly for any PC.

-Jeff

----------------------------------------------------------------

username testvpn password 12345

!

ip subnet-zero

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp client configuration group mygroup

key mykey

dns 192.168.1.5

wins 192.168.1.5

domain mydomain.net

pool ipsec-pool

!

!

crypto ipsec transform-set bciset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

interface Ethernet0/0

description Connected to Cisco 2924 Port 24

ip address 192.168.1.100 255.255.255.0

ip nat inside

half-duplex

!

interface Ethernet0/1

description Outside public interface

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

no cdp enable

crypto map clientmap

!

router ospf 1

log-adjacency-changes

redistribute connected subnets

redistribute static subnets

network 10.0.0.0 0.255.255.255 area 0.0.0.0

network 172.16.0.0 0.0.31.255 area 0.0.0.0

network 192.168.0.0 0.0.255.255 area 0.0.0.0

default-information originate

!

ip local pool ipsec-pool 192.168.0.50 192.168.0.75

!

ip nat inside source route-map nonat interface Ethernet0/1 overload

!

!

access-list 191 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 191 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 191

!

0 Helpful

Alistair-Roberts
Level 1
Level 1
In response to jeff_caprock

‎11-03-2002 07:13 PM

Thanks for you're assistance. I'll give these a go and see what happens.

In answer to your question. People are getting access to the VPN from laptops or home PC's through a private ISP.

0 Helpful

jeff_caprock
Level 1
Level 1
In response to Alistair-Roberts

‎11-04-2002 08:42 AM

Then that config I posted is exactly what we're doing as well, and it should work fine.

-Jeff

0 Helpful
Customers Also Viewed These Support Documents