cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
580
Views
0
Helpful
1
Replies

VPN got problem to ping to one server after configured one-to-one NAT

phyopaingag
Level 1
Level 1

My VPN was working fine before the client added the Exchange Server and edited my configuration.

After the client added the Exchange Server and edited my configuration, my VPN  got problem.

I fixed some portion but still there is one issuse that I can't ping to Exchange server local ip address (192.168.1.2).

One thing I notice is that I can ping to that ip 192.168.1.2 if I remove "ip nat inside source static 192.168.1.2 116.xx.xx.xx extendable".

Someone please check the below configuration and advise me.

I would be very appreciate any kind of suggestion.

Thanks.

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3333835941
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3333835941
revocation-check none
rsakeypair TP-self-signed-3333835941
!
!
crypto pki certificate chain TP-self-signed-3333835941
certificate self-signed 01
  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333333 38333539 3431301E 170D3131 30353134 30313034
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33333338
  33353934 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  810094A1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A145915 E67EF01D 350558E3
  AAB44CA5 040B6379 E6360CB3 4D184225 0360DA61 6BE23D05 55DAA45A 4647FEB5
  6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
  DD926D88 ABA3546D 25D23143 AC91B2F8 11C66750 3B16E5AE C38B62C4 68267C61
  02D30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
  551D1104 0C300A82 08466172 45617374 50301F06 03551D23 04183016 8014E95E
  66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
  B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092A8648 86F70D01 01040500
  03818100 6CA43C42 F0116A56 DD0B98B9 05C3BB3C 5B39172A DF35F9B9 12F8534A
  75CB8043 60BD9E0A 832ED1A5 7034E6F6 55A522E0 14FBD1E4 16C8D186 72FBAB3E
  EE4C0858 C9C9B87D 32C66187 0449BE9A CB71AB29 A1B0BF18 7DA6CE07 49E40F7D
  310AC5B1 BF8D0D67 B024AFCD 546599A5 0956FB68 BC385CC1 B6406466 1C1A8AA8 EFBA279C
        quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool ccp-pool1
   network 192.168.1.0 255.255.255.0
   domain-name Fareastp
   dns-server 192.168.1.2 165.21.83.88
   default-router 192.168.1.1
!
!
no ip cef
ip name-server 192.168.1.2
ip name-server 165.21.83.88
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FHK142971LH
!
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dns 192.168.1.2 165.21.83.88
domain fareastp
pool SDM_POOL_1
acl 101
include-local-lan
max-users 20
netmask 255.255.255.0
!
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNVPN 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map clientmap client authentication list ciscocp_vpn_xauth_ml_1
crypto map clientmap isakmp authorization list ciscocp_vpn_group_ml_1
crypto map clientmap client configuration address respond
crypto map clientmap 65535 ipsec-isakmp dynamic DYNVPN
!
!
!
!
!
interface Loopback0
ip address 192.168.250.99 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN$ES_WAN$
ip address 119.xx.xx.xx 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
description LAN
ip address 116.xx.xx.xx 255.255.255.240 secondary
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.2.201 192.168.2.254
ip local pool POOL_2 10.10.1.2 10.10.1.200
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.4 16000 interface FastEthernet4 16000
ip nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
ip nat inside source static tcp 192.168.1.4 591 interface FastEthernet4 591
ip nat inside source static tcp 192.168.1.4 2399 interface FastEthernet4 2399
ip nat inside source static tcp 192.168.1.4 3306 interface FastEthernet4 3306
ip nat inside source static tcp 192.168.1.4 1433 interface FastEthernet4 1433
ip nat inside source static tcp 192.168.1.4 5353 interface FastEthernet4 5353
ip nat inside source static udp 192.168.1.4 5003 interface FastEthernet4 5003
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static 192.168.1.2 116.xx.xx.xx extendable
ip route 0.0.0.0 0.0.0.0 119.xx.xx.xx
!
logging trap debugging
access-list 101 remark CCP_ACL Category=22
access-list 101 deny   tcp host 116.xx.xx.81 eq smtp any
access-list 101 deny   tcp host 116.xx.xx.82 eq smtp any
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.63
access-list 101 permit ip 192.168.2.192 0.0.0.63 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.192 0.0.0.63 host 116.12.248.82
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Hi,

NATting is done before encryption.

So if you want to access the server via it's private IP you need to make sure you exclude traffic from/to VPN users from being NATed (route-map on NAT statement is a typical way).

Otherwise move to DVTI based solution which should not be affected by this problem.

Marcin

View solution in original post

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Hi,

NATting is done before encryption.

So if you want to access the server via it's private IP you need to make sure you exclude traffic from/to VPN users from being NATed (route-map on NAT statement is a typical way).

Otherwise move to DVTI based solution which should not be affected by this problem.

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: