Remote access VPN / NAT Problem


Hi Networkers,

Could someone advise what could be wrong.

Here is a scenario:

1. S0/0 is on the Internet (IP address A.B.C.D)

2. F0/0 is on LAN with IP 172.16.100.1/24. On same subnet is mail server with IP 172.16.100.3/24

3. S0/0 is outside NAT interface and F0/0 is inside NAT interface. The S0/0 interface has static NAT redirection so that Internet users can send mail to exchange mail server

4. I configured a remote access vpn which is working for all protocols (ICMP, remote desktop, etc). The problem is connected VPN client PC cannot connect to mail server using outlook with the the static NAT port redirection there on router (IP NAT INSIDE SOURCE STATIC TCP 172.16.100.3 25 A.B.C.D 25).

5. When i remove this command (above) from router, VPN client PC connects to mail server at port 25 without a problem. Of-course, this would mean mail server will NOT receive mail hence the NAT static translation has to be there. Kindly advise workaround so that Internet users that connect via VPN can see all corporate LAN resources including the mail server

Here is pertinent configuration of the above

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!

aaa new-model

!

!

aaa authentication login AUTHENTICATION local

aaa authorization network AUTHORIZATION local

!

!

!

no ip domain lookup

!

!!Below is the domain (not actual domain).

ip domain name testing.com

!

!Credentials for VPN user authentication

username user1 password user1

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group user1

key user1

pool vpn_users

acl 100

save-password

netmask 255.255.255.0

!

!

crypto ipsec transform-set vpn_transform esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 1

set transform-set vpn_transform

reverse-route

!

crypto map MAP client authentication list AUTHENTICATION

crypto map MAP isakmp authorization list AUTHORIZATION

crypto map MAP client configuration address respond

crypto map MAP 65535 ipsec-isakmp dynamic DYNMAP

!

!

interface FastEthernet0/0

encapsulation dot1Q 1 native

description LAN-Interface

ip address 172.16.100.1 255.255.255.0

ip nat inside

 

!

interface serial0/0

description WAN-Interface

ip address A.B.C.D 255.255.255.0

ip nat outside

crypto map MAP

!

!VPN users address pool

ip local pool vpn_users 172.17.17.10 172.17.17.254

!

!NOTE A.B.C.D is the WAN Internet IP address

!

ip nat inside source route-map NAT interface s0/0 overload

ip nat inside source static tcp 172.16.200.3 25 A.B.C.D 25 extendable

!

!

access-list 100 per ip 172.16.100.0 0.0.0.255 any

!

!NAT access-list

access-list 101 deny ip 172.16.100.0 0.0.0.255 172.17.17.0 0.0.0.255

access-list 101 permit ip 172.16.100.0 0.0.0.255 any

!

route-map NAT permit 1

match ip address 101

!

END

Do please take note that remote desktop, ICMP are all working okay (PC with VPN client can see corporate office LAN resources except mail server). The problem is only for services that are undergoing port redirection with an outside static NAT translation (ip nat inside source static) on the gateway router

Kindly help/advise??

Thank you

Comments

Sign In or Register to comment.