Cisco IPSec, nat, and port forwarding don't play well together
Posted
by
Alan
on Server Fault
See other posts from Server Fault
or by Alan
Published on 2011-04-18T04:46:33Z
Indexed on
2011/11/11
17:57 UTC
Read the original article
Hit count: 352
I have two Cisco ADSL modems configured conventionally to nat the inside traffic to the ISP. That works.
I have two port forwards on one of them for SMTP and IMAP from the outside to the inside this provides external access to the mail server. This works.
The modem doing the port forwarding also terminates PPTP VPN traffic.
There are two DNS servers one inside the office which resolves mail to the local address, one outside the office which resolves mail for the rest of the world to the external interface. That all works.
I recently added an IPSec VPN between the two modems and that works for every thing EXCEPT connections over the IPSec VPN to the mail server on port 25 or 143 from workstations on the remote lan.
It would seem that the modem with the port forwards is confusing traffic from the mail server destined for a machine on the other side of the IPSec VPN for traffic that should go back to a port forward connection.
PPTP VPN traffic to the mail server is fine.
Is this a scenario anybody is familiar with and are there any suggestions on how to work around it?
Many thanks
Alan
But wait there is more.....
This is the strategic parts of the nat config. A route map is used to exclude the lans that are reachable via IPSec tunnels from being Nated.
int ethernet0
ip nat inside
int dialer1
ip nat outside
ip nat inside source route-map nonat interface Dialer1 overload
route-map nonat permit 10
match ip address 105
access-list 105 remark *** Traffic to NAT
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source static tcp 192.168.1.241 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.241 143 interface Dialer1 143
At the risk of answering my own question, I resolved this outside the Cisco realm.
I bound a secondary ip address to mail server 192.168.1.244, changed the port forwards to use it while leaving all the local and IPSec traffic to use 192.168.1.241 and the problem was solved.
New port forwards.
ip nat inside source static tcp 192.168.1.244 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.244 143 interface Dialer1 143
Obviously this is a messy solution and being able to fix this in the Cisco would be preferable.
© Server Fault or respective owner
