« Cool Utility of the Week: ZipTie | Main | CiscoBlog...Useful? »
February 21, 2008
Static NAT Inaccessible Through VPN Connections
Alright, I've run into this problem three times now and each time I keep having to rediscover the solution, so I thought I'd write the solution here for myself and whomever it may help. Here's the problem:
Creating site-to-site VPN connections as a WAN link replacement is becoming quite common. The problem I continually encounter is the servers behind the router that have Static NAT entries allowing them to be accessible from the outside world become inaccessible through the VPN (using a private address). VPN users can still access the servers by using the Internet connection. This problem occurs simply because of the order in which the Cisco router handles NAT rules.
Take this example. A user from SiteA accesses ServerB at SiteB using its private address on TCP port 80 (HTTP):
UserA ---> Site-to-Site VPN ---> ServerB
The request reaches ServerB who attempts to transmit back to UserA. The router at SiteB has a Static NAT mapping allowing ServerB to be accessible from the Internet. This Static NAT mapping is processed before the site-to-site VPN rule:
ServerB Response ----> Static NAT mapping ---> Reply sent to Internet abyss
The result is the HTTP connection from SiteA times out. So, here's how to fix it:
RouterB(config)#route-map NO_NAT
RouterB(config-route-map)#match ip address 100
RouterB(config-route-map)#exit
RouterB(config)#access-list 100 deny ip host 192.168.15.100 192.168.10.0 0.0.0.255
RouterB(config)#access-list 100 permit ip 192.168.15.0 0.0.0.255 any
RouterB(config)#ip nat inside source static tcp 192.168.15.100 80 81.14.214.29 80 route-map NO_NAT
The above configuration essentially denies the server from going through the Static NAT entry when speaking to hosts across the VPN, but permits it to pass through Static NAT for everything else.
Here's the original Cisco reference:
http://www.cisco.com/warp/public/707/static.html#topic2
Posted by JC at February 21, 2008 11:34 AM
Trackback Pings
TrackBack URL for this entry:
http://www.cioara.org/cgi-bin/mt-tb.cgi/245
Comments
Thanks,
Just keep in mind that a static NAT using route-maps is not allowed on older IOS releases.
Posted by: bugueur at February 21, 2008 4:04 PM
Everything, you need in such case is IPSec as an routable interface, so instead of using classic crypto map, you can use IPSec configuration with virtual template or tunnel interface with IPSec profile applied on it. Then you have one logical interface for internet communication, which has nat outside, and one logical interface facin VPN WAN without NAT outside statement. Router makes routing decision first, then NAT, so it is doing NAT to internet only, not VPN WAN.
Posted by: billyrom at February 21, 2008 11:22 PM
Hi i known that this is not related to this topic but i have question about security. If I'm right the private VlANs are available only on newer switches to provide isolation between two or more islolated ports ports allowing them only access to promiscuous port. And this is a little painfull config is it possible to use switchport protected mode(on the isolated ports) instead of private vlans?
Posted by: Thead at February 22, 2008 10:06 AM
billyrom, can you clarify.
Posted by: Dedan at February 27, 2008 3:12 PM
Hello
Very useful article, I found the info on Cisco.com but your explanation drove the point home (and made my solution work LOL).
Followup question: this has solved the issue for VPN clients, but it has not solved the issue of INTERNAL clients pointing to the FQDN (which DNSs back to the external IP). I have tried modifying the ACL to include traffic from internal ranges but no dice. Do you have any suggestions?
Posted by: Johann Lo at March 11, 2008 3:58 AM
Great article well written,thanks for bringing up the subject ...
It's been a question in my mind regarding this ...well written and great work there !!
by arul vigg
Posted by: arul vigg at March 22, 2008 12:02 PM
life-saving article,hard to ask the proper questions to get the right answers...thank you
Posted by: calin at March 24, 2008 8:32 AM