No announcement yet.

VPN and NAT failure

  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN and NAT failure

    Environment description:
    Cisco 877 Firewall/Router with a number of PAT/NAT rules to publish ports from the internal network to the public interface.
    Same Cisco 877 is a VPN endpoint for our consultants, and we use the Cisco client.

    Internal network is
    VPN network is 192.168.yyy.0/32
    Public is - ADSL2 PPPoA.

    When connecting to the VPN, we are able to access the network, ping all servers and workstations using FQDN and connect to relevant ports, EXCEPT when it was a NAT/PAT published port.
    for instance: was published to
    when connected to the vpn, I could not reach xxx.200:80, I'd have to use 150.101.bla:80.

    I thought the solution could be the reverse-route command i noticed in another thread.. this dind't help me, except to make me look at th eproblem a bit more than i did before.

    I had previously raised the question on another forum and was told the answer was route maps, but when I tried the new configs I was offered, it ended up breaking the internet for the folks in the office. (HINT! Don't do this at 200pm on a weekday.. people get upset :P)

    so i dropped the issue for a while, as it wasn't major.

    Started relooking last night, and made the following change:

    ip nat inside source static tcp 80 interface Dialer0 80
    ip nat inside source static tcp 80 interface 80 route-map nonat

    didn't accept the command.
    Looked around a bit more and thought..hmmm.
    Tried this one:

    ip nat inside source static tcp 80 80 route-map nonat.

    Guess what.. it worked. !

    So the solution to the problem, if you have VPN Clients who cannot access NAT/PAT addressed ports via the internal address, is to use a route map in combinatio nwith some ACLs. (We arelady had these, and I can go into them further if requested)

    With an 877, you also cannot use a specific interface for dynamic nat/pat rules - you have to use a specific ip, which means if we change ISP agian, I'll need to re-write the rules.
    That's not so big a deal though really.... now i know how

    so.. i'm in a good mood today
    Please do show your appreciation to those who assist you by leaving Rep Point