Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Attempting to NAT a firewall.

Status
Not open for further replies.
GMav

GMav

IS-IT--Management
Joined
Jan 25, 2006
Messages
4
Location
US
My router is configured successfully to use the VPN client, the only problem it is attempting to hit the NAT entries... Here's a sample ping:

ping 192.168.1.17

Pinging 192.168.1.17 with 32 bytes of data:

Reply from XX.XX.201.99: bytes=32 time=41ms TTL=127
Reply from XX.XX.201.99: bytes=32 time=41ms TTL=127
Reply from XX.XX.201.99: bytes=32 time=39ms TTL=127
Reply from XX.XX.201.99: bytes=32 time=42ms TTL=127

Note when VPN in I ping the internal adress and the router address never fowards the request as it intercepts the traffic and never sends it through. Non NATed internal addresses work fine...

Here's a bit of the config that may be relevant:

crypto isakmp client configuration group VPNGROUP
key XXXXXXXXXX
dns 192.168.1.2
domain mycompany.com
pool vpn1
acl 106
split-dns mycompany.com

...

ip nat inside source route-map nonat interface FastEthernet0 overload
ip nat inside source static 192.168.1.17 XX.XX.201.99

Any ideas or more data needed? There are course acls for all the different sub nets to talk internally.

Any help is greatly appreciated as this worked initally, but then over time (I'm sure as routes updated or something) it just stopped working.

Pete

 
Sort by date Sort by votes
Can anyone out there help with this? We need to get working ASAP.
 
Upvote 0 Downvote
Ok Here's some more information. The incoming traffic is recieved fine, but on the outgoing packet, it's being NATed. Heres what I mean:

081580: .Jan 27 23:39:11.458 PCTime: NAT: s=192.168.1.13->XX.XX.201.100, d=192.168.10.7 [18718] mon

192.168.1.13 is the internal Address.
XX.XX.201.100 is the natted external address.
192.168.10.7 is the VPN client address.

So it looks like my ping is getting inside to the internal address, and then on the return trip getting NATed and not going over the tunnel correctly.

Any ideas are very appreciated
 
Upvote 0 Downvote
Ok... Found the solution... It was actually quite simple, I had to associate a Route map with teh NAT entries...

ip nat inside source static 192.168.1.17 XX.XX.201.99 route-map static

And then set up the route-map...

route-map static permit 10
match ip address 110

With an ACL of:

access-list 110 deny ip host 192.168.1.17 192.168.10.0 0.0.0.255
access-list 110 permit ip any any

Voila!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
412
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
569
CPM86
CPM86
jobsp90
  • Locked
  • Question Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
541
DavetheChef
DavetheChef
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
583
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
806
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top