Connectivity problems to a NAT’d host via a VPN on Cisco IOS

Problem where a client on one side of a VPN tunnel cannot communicate with another host on the other side that has a static nat entry.

The host 10.0.0.2 is a mail and web server (tcp/25 & tcp/80) that provides these services to hosts on the internet and to hosts connected via a IPSEC VPN that terminates on the 1800 router. Hosts on the 192.168.0.0/24 subnet at the remote office site cannot connect to the mail/webserver (10.0.0.2) on either ports 25 or 80 but can on all other ports.

8.8..8.8 = Server Outside IP address
10.0.0.2 = Server inside natetd address
192.168.0.0/24 = VPN client subnet

moons_1801# show run | i nat.*10.0.0.2

ip nat inside source static tcp 10.0.0.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.0.0.2 80 interface FastEthernet0/1 80

We can see the two NAT rules b0rking things as usual. What we need to do is configure a route map we can apply to the NAT rule so that host sources within the VPN are no sent through the NAT statement. First off configure an access list and define all your VPN client subnets with deny statements:

Extended IP access list 150
10 deny ip host 10.0.0.2 192.160.0.0 0.0.0.255
20 permit ip host 10.0.0.2 any

Now apply that ACL in a route map match statement:

route-map NONAT permit 10
match ip address NAT-Rule 150

Now its just simply a case of removing the old NAT rules and adding the new ones. 8.8.8.8 is the outside interface IP (of Fa 0/1):

no ip nat inside source static tcp 10.0.0.2 25 interface FastEthernet0/1 25
ip nat inside source static tcp 10.0.0.2 25 8.8..8.8 25 route-map NONAT
no ip nat inside source static tcp 10.0.0.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 10.0.0.2 80 8.8..8.8 80 route-map NONAT

Now we have access the server via the natted IP on the internet and accross the VPN on its “real” ip 🙂

m00nie

Leave a Reply