NAT- Keeping Access to the Local IP..

[Marcusm88]

We have a NAT setup for our M$ Exhange 2003 Server it looks like this:

ip nat inside source static 192.1.1.8 204.xx.xx.33 extendable

The router does not handle dhcp or dns for the 192.1.1.1 network.

The problem is when vpn clients try to go to the exchange server by hostname it returns with 192.1.1.8 and it cannot reach this address. I thought of a workaround, by adding the global ip 204.xx.xx.33 and the hostname to the hosts file in windows, but i know this is just a patch for the problem.

Any suggestions?

 

[lambent]

1) Which IP address of your email server will be used INSIDE the internal network in your company?

2) Do those "VPN clients" connect back into the internal network in your company?

3) Do those "VPN clients" support "split tunneling" so that they can access the Internet while connecting to the internal network?

 

[JOAMON]

Would be helpful to see he config less any passwords...

 

[Marcusm88]

1) Clients in the internal network use 192.1.1.8 without problems.
2) The VPN clients connect back into the internal network.
3) VPN tunneling is configured, but this problem existed before vpn tunneling was setup.

The vpn clients just dont have access to the 192.1.1.8 ip address. It seems like the router should redirect traffic that is pointed toward the internal address to the external address if the internal address is not accessible with the NAT

I just pasted my router config in excel, and it's about 700 lines long with all the voip stuff. Do you think just posting the vpn stuff, the nats, and the access-lists would suffice?

 

[JOAMON]

THAT WOULD PROBABLY BE OK TO START WITH...LESS ANY PASSWORDS...

 

[Marcusm88]

OK Heres the an exerpt of the cfg... We have 3 seperate VPN connections configured in here 2 LAN to LAN connections and the vpnclients. The LAN to LAN vpn connections can have access to the 192.1.1.8 ip but the vpnclients group doesnt.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address 204.118.34.53 no-xauth
crypto isakmp key ******* address 204.118.34.61 no-xauth
!
crypto isakmp client configuration group vpnclients
key *********
dns 192.1.1.3
wins 192.1.1.3
domain mccorklenurseries.com
pool vpn_client_pool
acl 150
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set set1
!
!
crypto map VPN_Map local-address Loopback0
crypto map VPN_Map client authentication list vpnclient
crypto map VPN_Map isakmp authorization list groupauthor
crypto map VPN_Map client configuration address respond
crypto map VPN_Map 10 ipsec-isakmp
description Crypto map for LAN-2-LAN VPN tunnel to Atlanta
set peer 204.118.34.53
set transform-set set1
match address VPN_GRE_Atlanta
qos pre-classify
crypto map VPN_Map 15 ipsec-isakmp
description Crypto map for LAN-2-LAN VPN tunnel to Marion
set peer 204.118.34.61
set transform-set set1
match address VPN_GRE_Marion
qos pre-classify
crypto map VPN_Map 20 ipsec-isakmp dynamic dynmap
!
!
!
!
!
router eigrp 100
network 172.16.0.0
network 192.1.1.0
network 192.168.9.0
network 192.168.10.0
network 192.168.20.0
network 192.168.254.0
network 192.168.255.0
no auto-summary
!
ip local pool vpn_client_pool 192.168.9.100 192.168.9.200
ip nat pool NatPool 204.118.34.42 204.118.34.42 prefix-length 30
ip nat inside source route-map NoNAT pool NatPool overload
ip nat inside source static tcp 192.1.1.102 5080 204.118.34.35 5080 extendable
ip nat inside source static tcp 192.1.1.77 80 204.118.34.36 80 extendable
ip nat inside source static tcp 192.1.1.8 80 204.118.34.33 80 extendable
ip nat inside source static 192.1.1.8 204.118.34.33 extendable
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 160.81.234.13
ip route 204.118.34.32 255.255.255.240 Null0 225
!
!
!
ip access-list standard Telnet-Access
remark **** Telnet access to this router ****
permit 192.168.0.0 0.0.255.255
permit 192.1.1.0 0.0.0.255
permit 205.244.200.0 0.0.1.255
permit 207.14.217.0 0.0.0.255
!
ip access-list extended Inet_Inbound
remark **** Inbound ACL for Internet port ****
deny ip 204.118.34.32 0.0.0.15 any
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any administratively-prohibited
permit icmp any any packet-too-big
permit tcp any host 204.118.34.36 eq 1494
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any host 204.118.34.45 echo
permit icmp any host 160.81.234.14 echo
permit ip 192.1.1.0 0.0.0.255 any
permit gre host 204.118.34.53 host 204.118.34.45
permit gre host 204.118.34.61 host 204.118.34.45
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit udp 192.5.41.0 0.0.0.255 eq ntp host 160.81.234.14
permit tcp 205.244.200.0 0.0.1.255 host 204.118.34.45 eq telnet
permit tcp 207.14.217.0 0.0.0.255 host 204.118.34.45 eq telnet
permit tcp 205.244.200.0 0.0.1.255 host 204.118.34.44 eq 3389
permit tcp any host 204.118.34.33 eq smtp
permit tcp any host 204.118.34.33 eq www
permit tcp any host 204.118.34.33 eq pop3
permit tcp 161.165.202.24 0.0.0.3 host 204.118.34.35 eq 5080
permit udp host 69.68.89.4 any eq snmp
permit ip 192.168.9.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 host 192.1.1.8
ip access-list extended NAT
remark **** Addresses to NAT ****
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 192.1.1.0 0.0.0.255 any
ip access-list extended Network_Critical
remark **** Network critical - NTP,Cisco telnet,EIGRP updates etc. ****
permit ip any any precedence internet
ip access-list extended UNKNOWN
ip access-list extended VPN_GRE_Atlanta
remark **** Traffic to be encrypted to Atlanta ****
permit gre host 204.118.34.45 host 204.118.34.53
ip access-list extended VPN_GRE_Marion
remark **** Traffic to be excrypted to Marion ****
permit gre host 204.118.34.45 host 204.118.34.61
ip access-list extended VoIP_Control
remark **** VoIP control traffic ****
permit ip any any dscp af31
permit ip any any precedence flash
ip access-list extended VoIP_RTP
remark **** VoIP bearer traffic
permit ip any any dscp ef
permit ip any any precedence critical
ip access-list extended addr-pool
ip access-list extended async
ip access-list extended default-domain
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended service
ip access-list extended tunnel-password
ip access-list extended wins-servers
access-list 5 permit any
access-list 53 permit 69.68.89.4
access-list 53 permit 205.244.200.128 0.0.0.127
access-list 53 permit 205.244.201.0 0.0.0.255
access-list 150 permit ip 192.0.0.0 0.255.255.255 any
!

 

[JOAMON]

ip access-list extended NAT
remark **** Addresses to NAT ****
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 192.1.1.0 0.0.0.255 any

Do you need to modify this to read:

ip access-list extended NAT
remark **** Addresses to NAT ****
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 192.1.1.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any

Also would suggest being more specific in access-list 150 as to give only access to those resources needed by remote clients.
Say you only want them to have access to 192.1.1.0 network you could enter:
access-list 150 permit ip 192.1.1.0 0.0.0.255 192.168.9.0 0.0.0.255
Say you only want access to certain devices:
access-list 150 permit ip host 192.1.1.3 192.168.9.0 0.0.0.255
access-list 150 permit ip host 192.1.1.8 192.168.9.0 0.0.0.255
Could you port the route map also....

 

[JOAMON]

Sorry...my bad typing...

post route map....no port it

 

[Marcusm88]

Well in the acl 150 we opened it up to any so that users can use internet and vpn simultaneously. Some things they need to access are stored on a webserver not in our network. I suppose we could add that external source to the acl but they also want to have access to other internet stuff too.


Thanks for the help though.... Here's route-map:

route-map NoNAT permit 10
description **** Route map for what addresses to NAT ****
match ip address NAT

 

[JOAMON]

So with the current config your users now have access to the internet.....all lan resources except 192.1.1.8...is this correct???

 

[Marcusm88]

Yep, that's correct...

I've tried doing direct NATs before with other addresses and after I enter:
ip nat inside source static 192.1.1.X 204.118.34.XX extendable

the internal address becomes unreachable.

 

[JOAMON]

What would be the result if you added the 192.168.9.0 network in the following example:

ip access-list extended NAT
remark **** Addresses to NAT ****
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 192.1.1.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any

 

[Marcusm88]

that access list is what allows and denys NAT entries...

the 192.168.9.0 is already covered by the 192.168.0.0, but i went ahead and tried it anyway and im still not able to reach 192.1.1.8

 

[lambent]

so I suppose your VPN client should be unable to access 192.1.1.77 and 192.1.1.102 also, right?

 

[lambent]

I've tried doing direct NATs before with other addresses and after I enter:
ip nat inside source static 192.1.1.X 204.118.34.XX extendable

the internal address becomes unreachable. "

So you mean if you enter both of the following commands:

ip nat inside source static tcp 192.1.1.77 80 204.118.34.36 80 extendable
ip nat inside source static 192.1.1.77 204.118.34.36 extendable

Then the IP address 192.1.1.77 will be unreachable from the VPN client side?

 

[lambent]

hmm I have another idea but this may be just another "patch for the problem"

try using the following commands:

!
no ip nat inside source static tcp 192.1.1.8 80 204.118.34.33 80 extendable
no ip nat inside source static 192.1.1.8 204.118.34.33 extendable
!
ip nat pool exchange 204.118.34.33 204.118.34.33
ip nat inside source route-map exchangenonat pool exchange overload
!
ip access-list extended exchangeip
deny ip host 192.1.1.8 192.168.0.0 0.0.255.255
permit ip host 192.1.1.8 any
!
route-map exchangenonat permit 10
match ip-address exchangeip
!
end
!

 

[Marcusm88]

So you mean if you enter both of the following commands:

ip nat inside source static tcp 192.1.1.77 80 204.118.34.36 80 extendable
ip nat inside source static 192.1.1.77 204.118.34.36 extendable

Then the IP address 192.1.1.77 will be unreachable from the VPN client side?"

Yep, the nat becomes unreachable when you enter the direct nat (dont specify a port).

Thanks for the Input.. I'll test that config out tonight(i ton fully understand whats going on in the ip nat pool, or what the route-map does.)

 

[lambent]

The above configuration means that for any traffic from the host 192.1.1.8 to any other network except 192.168.0.0/24, it will do a translation from the inside address 192.1.1.8 to the outside pool which only has 1 address 204.118.34.33.

 

[Marcusm88]

Cool, a router side patch is perfered over a client side... pcs in the 192.1.1.0 network would still have access to 192.1.1.8 though?

 

[lambent]

That's a layer-2 forwarding and shouldn't involve any processing from the router.