February 21, 2008

Static NAT Inaccessible Through VPN Connections

Alright, I've run into this problem three times now and each time I keep having to rediscover the solution, so I thought I'd write the solution here for myself and whomever it may help. Here's the problem:

Creating site-to-site VPN connections as a WAN link replacement is becoming quite common. The problem I continually encounter is the servers behind the router that have Static NAT entries allowing them to be accessible from the outside world become inaccessible through the VPN (using a private address). VPN users can still access the servers by using the Internet connection. This problem occurs simply because of the order in which the Cisco router handles NAT rules.

Static NAT over VPN

Take this example. A user from SiteA accesses ServerB at SiteB using its private address on TCP port 80 (HTTP):

UserA ---> Site-to-Site VPN ---> ServerB

The request reaches ServerB who attempts to transmit back to UserA. The router at SiteB has a Static NAT mapping allowing ServerB to be accessible from the Internet. This Static NAT mapping is processed before the site-to-site VPN rule:

ServerB Response ----> Static NAT mapping ---> Reply sent to Internet abyss

The result is the HTTP connection from SiteA times out. So, here's how to fix it:

RouterB(config)#route-map NO_NAT
RouterB(config-route-map)#match ip address 100
RouterB(config-route-map)#exit
RouterB(config)#access-list 100 deny ip host 192.168.15.100 192.168.10.0 0.0.0.255
RouterB(config)#access-list 100 permit ip 192.168.15.0 0.0.0.255 any
RouterB(config)#ip nat inside source static tcp 192.168.15.100 80 81.14.214.29 80 route-map NO_NAT

The above configuration essentially denies the server from going through the Static NAT entry when speaking to hosts across the VPN, but permits it to pass through Static NAT for everything else.

Here's the original Cisco reference:

http://www.cisco.com/warp/public/707/static.html#topic2

Posted by JC at 11:34 AM | Comments (7) | TrackBack

February 27, 2006

VPN Documentation

I ran across this link in the Cisco documentation walking through the concepts and configuration of a VPN with a Certificate Authority (CA) involved. It has some awesome explanations about RSA keys, certificates, and PKI (a topic that has confused me quite a bit in the past).

Posted by JC at 11:23 AM | Comments (0) | TrackBack