[c-nsp] Easy VPN Woes with NAT and IOS

Rey Martin rey.martin at qalacom.com
Mon Mar 28 22:18:00 EST 2005


simply exclude the 'vpn traffic' from the nat command.
"ip nat inside source list 100 interface Ethernet0/0 overload"

instead of this:
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

use this:
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any


rey


----- Original Message ----- 
From: "Jeremy Parr" <jeremyparr at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, March 29, 2005 10:54 AM
Subject: [c-nsp] Easy VPN Woes with NAT and IOS


> Attempting to establish remote connectivity to a 1721 using the Cisco
> VPN Client. Everything works well if I remove NAT from the router, but
> if NAT is enabled, the router NATs its replies to me. If I connect to
> the VPN, and ping 192.168.10.5 (An NT server behind the router) I get
> a reply from 192.168.10.5, once I enable NAT on the router, ping
> again, the reply comes from the outside interface of the router. This
> is not good. I have played with route-maps, and access lists on my 'ip
> nat inside' statement to no avail. Config follows:
>
> version 12.3
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname gem-1760-01
> !
> boot-start-marker
> boot system flash:c1700-k9o3sy7-mz.123-11.T3.bin
> boot-end-marker
> !
> enable secret
> !
> username bgc
> username admin
> username cisco
> clock timezone EST -5
> mmi polling-interval 60
> no mmi auto-configure
> no mmi pvc
> mmi snmp-timeout 180
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login userlist local
> aaa authorization network grouplist local
> aaa session-id common
> ip subnet-zero
> no ip source-route
> !
> !
> !
> !
> ip cef
> ip domain name bgcfreedom.com
> ip name-server 24.244.175.133
> ip ips po max-events 100
> no ftp-server write-enable
> !
> !
> !
> !
> !
> !
> crypto isakmp policy 1
> group 2
> !
> crypto isakmp policy 3
> hash md5
> authentication pre-share
> group 2
> crypto isakmp identity hostname
> !
> crypto isakmp client configuration group cisco
> key xxx
> dns 192.168.10.5
> wins 192.168.10.5
> domain globalequity.local
> pool green
> acl 199
> !
> !
> crypto ipsec transform-set dessha esp-3des esp-sha-hmac
> !
> !
> crypto dynamic-map mode 1
> set transform-set dessha
> !
> !
> !
> !
> crypto map mode client authentication list userlist
> crypto map mode isakmp authorization list grouplist
> crypto map mode client configuration address respond
> crypto map mode 1 ipsec-isakmp dynamic mode
> !
> !
> !
> interface Ethernet0/0
> ip address <wan ip>
> ip nat outside
> ip virtual-reassembly
> half-duplex
> no cdp enable
> crypto map mode
> !
> interface FastEthernet0/0
> ip address 192.168.10.1 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> no ip route-cache cef
> no ip route-cache
> no ip mroute-cache
> speed auto
> no cdp enable
> !
> interface Ethernet1/0
> no ip address
> shutdown
> half-duplex
> no cdp enable
> !
> ip local pool green 192.168.11.1 192.168.11.10
> ip classless
> ip route 0.0.0.0 0.0.0.0 24.244.150.1
> no ip http server
> ip http secure-server
> !
> ip nat inside source list 100 interface Ethernet0/0 overload
> ip nat inside source static tcp 192.168.10.5 3389 <wan ip> 3389 extendable
> !
> !
> access-list 100 permit ip 192.168.10.0 0.0.0.255 any
> access-list 199 permit ip 192.168.10.0 0.0.0.255 any
> no cdp run
> !
> route-map nonat permit 10
> match ip address 199
> !
> radius-server host 192.168.10.5 auth-port 1812 acct-port 1813 key 7 
> <radius key>
> !
> control-plane
> !
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> ntp clock-period 17208063
> ntp server 192.5.41.40
> end
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 



More information about the cisco-nsp mailing list