11-28-2000 04:19 AM - edited 02-21-2020 11:15 AM
We have Cisco 1750 router on which we have configured VPN with our overseas office. we are able to get VPN connectivity with it. We have MS-Exchange server installed in our intranet. The exchange server site connector is configured for our overseas's office Exchange mail server. My Exchange database replication is hapening via VPN .
I want my intranet mail server to be accessed over the internet so that my office employee should be able to access the mails from residents also (i.e. over the internet). If I configure NAT on my router to get a Static IP (i.e. valid IP) for my exchange server, I don't get the VPN connectivity with my exchange server and my exchange database does not get updated with my overseas Exchange server.
Can you guide me on this
Thanks
Rajesh Rane
12-09-2000 10:39 AM
Rajesh -
What kind of vPN are you using? I'll assume IPSEC.
Using what I understand of your problem (w/o NAT, the VPN works fine, w/NAT, VpN breaks), the first thing I'd check on both sides is to see that your crypto-maps match the post NATted address (NAT occurs before encryption on an egress interface)
debug crypto ipsec
debug crypto isakmp
are useful debug commands to see what the router is doing (or not doing, as the case may be)
Also consider the security of that host in general - if you're providing the Internet access to a host within your Intranet, if that host is compromised, it could be a jumping-off point for further attacks within your network. Any host that is visible to the Internet should at least be in a DMZ of some sort.
Chapman and Zwicky's "Building Internet Firewalls" book is a great reference for this kind of thing...
Hope this helps
-Rakesh
12-11-2000 07:23 AM
Id suggest starting with the firewall debugs. After that, check your NT box and see if its multi-homed. Ive learned packet filter firewalls dont like multi-homed NT boxes as they track the IP addresses, and if the source address changes it can terminate the session. If all those turn out alright Id try sniffing the wire.
01-07-2001 05:40 AM
Here are the microsoft q articles you will need to read and interpret to implement them in your environment. This helped me with another type of VPN.
Article ID: Q155831
Article ID: Q148732
Article ID: Q180795
Article ID: Q176466
http://www.microsoft.com/ISN/faq/ports_used_nt_and_exchange.asp
THis will get you going in the right direction
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide