[c-nsp] Easy VPN Woes with NAT and IOS

Jeremy Parr jeremyparr at gmail.com
Mon Mar 28 21:54:14 EST 2005 

Attempting to establish remote connectivity to a 1721 using the Cisco
VPN Client. Everything works well if I remove NAT from the router, but
if NAT is enabled, the router NATs its replies to me. If I connect to
the VPN, and ping 192.168.10.5 (An NT server behind the router) I get
a reply from 192.168.10.5, once I enable NAT on the router, ping
again, the reply comes from the outside interface of the router. This
is not good. I have played with route-maps, and access lists on my 'ip
nat inside' statement to no avail. Config follows:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gem-1760-01
!
boot-start-marker
boot system flash:c1700-k9o3sy7-mz.123-11.T3.bin
boot-end-marker
!
enable secret 
!
username bgc
username admin
username cisco
clock timezone EST -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authorization network grouplist local 
aaa session-id common
ip subnet-zero
no ip source-route
!
!
!
!
ip cef
ip domain name bgcfreedom.com
ip name-server 24.244.175.133
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
! 
!
crypto isakmp policy 1
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp identity hostname
!
crypto isakmp client configuration group cisco
 key xxx
 dns 192.168.10.5
 wins 192.168.10.5
 domain globalequity.local
 pool green
 acl 199
!
!
crypto ipsec transform-set dessha esp-3des esp-sha-hmac 
!
!
crypto dynamic-map mode 1
 set transform-set dessha 
!
!
!
!
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode 
!
!
!
interface Ethernet0/0
 ip address <wan ip>
 ip nat outside
 ip virtual-reassembly
 half-duplex
 no cdp enable
 crypto map mode
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 speed auto
 no cdp enable
!
interface Ethernet1/0
 no ip address
 shutdown
 half-duplex
 no cdp enable
!
ip local pool green 192.168.11.1 192.168.11.10
ip classless
ip route 0.0.0.0 0.0.0.0 24.244.150.1
no ip http server
ip http secure-server
!
ip nat inside source list 100 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.10.5 3389 <wan ip> 3389 extendable
!
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 199 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
!
route-map nonat permit 10
 match ip address 199
!
radius-server host 192.168.10.5 auth-port 1812 acct-port 1813 key 7 <radius key>
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
ntp clock-period 17208063
ntp server 192.5.41.40
end

More information about the cisco-nsp mailing list