Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
2
Replies

VPN with static AND dynamic NAT

rbuxton
Level 1
Level 1

‎02-08-2005 12:32 PM - edited ‎02-21-2020 01:35 PM

Hello. I have the following problem with a pair of Cisco 831 routers.

* Each router is connected to an ADSL modem, with a range of fixed static IPs

* Site A (main site) uses dynamic NAT for "normal" internet traffic. There are also several static NAT entries for servers that reside on the LAN.

* Site B connects to site A via a VPN

If Site B connects to a device on the LAN at Site A (via the VPN) this works OK - unless the device also has a static NAT entry.

For example. A device on LAN A has the IP 192.168.1.253 and also has a static NAT of 10.10.135.131. If a device on LAN B pings 192.168.1.253 this does not work. If it pings 10.10.135.133 it does work.

I believe that the replies to the pings in this case are being sent via the dynamic NAT, rather than the VPN.

I hope that this make some sense!! The config is shown below (fake public IPs shown).

Please help!!

ip subnet-zero

no ip source-route

!

no ip bootp server

ip cef table adjacency-prefix validate

ip cef

ip ips notify SDEE

ip ips po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key MyKeyHere address 10.10.134.170

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

crypto ipsec transform-set test_transform ah-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

set peer 11.x.x.170

set transform-set test_transform ESP-3DES-SHA

match address 102

!

interface Ethernet0

ip address 192.168.1.254 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

!

interface Ethernet1

ip address 10.10.135.135 255.255.255.240

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip nat allow-static-host

ip inspect DEFAULT100 out

ip virtual-reassembly

service-policy output shape

ip route-cache flow

crypto map SDM_CMAP_1

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.135.129

!

ip http server

no ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload

ip nat inside source static 192.168.1.253 10.10.135.131

ip nat inside source static 192.168.1.165 10.10.135.133

!

ip access-list extended NormalExternalNATRule

deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 deny ip 10.10.135.128 0.0.0.15 any

access-list 100 permit ip any any

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit udp host 11.x.x.170 host 10.10.135.135 eq non500-isakmp

access-list 101 permit udp host 11.x.x.170 host 10.10.135.135 eq isakmp

access-list 101 permit esp host 11.x.x.170 host 10.10.135.135

access-list 101 permit ahp host 11.x.x.170 host 10.10.135.135

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit tcp any host 10.10.135.131 eq www

access-list 101 permit tcp any host 10.10.135.133 eq ftp

access-list 101 permit tcp any host 10.10.135.133 eq www

access-list 101 permit icmp any host 10.10.135.135 time-exceeded log

access-list 101 permit icmp any host 10.10.135.135 unreachable log

access-list 101 deny ip any any log

!

route-map SDM_RMAP_1 permit 1

match ip address NormalExternalNATRule

Labels:
0 Helpful
2 Replies 2

reswaran
Cisco Employee
Cisco Employee

‎02-08-2005 08:17 PM

Hi,

Can you replace the following two commands

ip nat inside source static 192.168.1.253 10.10.135.131

ip nat inside source static 192.168.1.165 10.10.135.133

with

ip nat inside source static 192.168.1.253 10.10.135.131 route-map SDM_RMAP_1

ip nat inside source static 192.168.1.165 10.10.135.133 route-map SDM_RMAP_1

Now let me know if it works.

-Ravikumar

0 Helpful

rbuxton
Level 1
Level 1
In response to reswaran

‎02-09-2005 05:32 AM

Hi Ravikumar,

Thank you for your prompt response.

I have implemented your suggestion and the problem has now partially been resolved.

I can now access the devices by their internal and NAT'ed addresses. However, I found that FTP/HTTP did not work correctly unless I created an access list on the branch Cisco that allows all traffic from the main site to the branch site. It seems that a second session is created using different port numbers which were being blocked by the firewall at the branch site. (see ACL marked **** on the branch config attached). Is this correct?

I now have a slightly different problem. A PC on the branch site connects to an exchange server on the main site (via the VPN). The communication seems OK (ping, etc works OK). But the connection to the Exchange server fails. I have also tried VNC and this also fails. It seems that the connection is either extremely slow and is timing out or that there is something terminating the session.

I have ran an Ethereal trace and found that there are lots of RST packets being sent between the two devices after a short period of conversation. I assume that the session is being terminated for some reason??

Are you able to provide any further advice?

One further query: We have these 831s connected directly to a DSL modem with no external firewall. Do you think the 831 is sufficient to provide protection from the internet (and is my config correct?).

Thanks again

Richard

Preview file
5 KB
0 Helpful
Customers Also Viewed These Support Documents