Block NAT for VPN traffic

[Bizounett]

Hi everyone,

I have a site to site vpn up and running. At one end I have a PBX for IP phone (SIP). All is working when we are inside (both side of the VPN). I can connect to my PBX and make phone call. But now, I have a client want to be able to connect to the PBX from outside. I said no problem ! I NAT the port 5060 for the connection to the inside PBX. It can connect, good, but the people in the VPN tunnel cannot connect anymore. Is it possible that I block the NAT rules when its the inside IP from VPN ?

Here is my config

Current configuration : 6454 bytes
!
! Last configuration change at 16:16:40 EST Sun Mar 10 2013
! NVRAM config last updated at 16:16:43 EST Sun Mar 10 2013
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Rang7
!
boot-start-marker
boot-end-marker
!
enable secret 5 **PASSWORD**
!
clock timezone EST -5
clock summer-time EST recurring 2 Sun Mar 3:00 1 Sun Nov 1:00
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 142.217.192.9
ip name-server 142.217.192.8
ip name-server 209.226.51.46
ip dhcp excluded-address 192.168.2.1 192.168.2.125
!
ip dhcp pool Rang7
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 142.217.192.9 142.217.192.8 209.226.51.46
!
ip audit po max-events 100
no vlan accounting
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr x
 hash x
 authentication x
 group x
 lifetime 28800
crypto isakmp key **PASSWORD** address x.x.x.x
!
!
crypto ipsec transform-set myset x x
!
crypto map rang7_to_hyco 10 ipsec-isakmp
 set peer x.x.x.x
 set security-association lifetime seconds 28800
 set transform-set myset
 match address 103
!
bridge irb
!
!
!
interface ATM0/0
 description --- Vers SLAM ---
 no ip address
 ip directed-broadcast
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 bridge-group 1
 hold-queue 224 in
 pvc 0/35
  encapsulation aal5snap
 !
!
interface Ethernet0/0
 description --- Reseau Interne ---
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 half-duplex
 hold-queue 100 out
!
interface Serial0/1
 no ip address
 shutdown
!
interface Ethernet1/0
 description --- Reseau Internet ---
 no ip address
 shutdown
 half-duplex
!
interface BVI1
 description --- Interface virtuel pour bridger ---
 ip address dhcp
 ip access-group 102 in
 ip nat outside
 crypto map rang7_to_hyco
!
ip nat inside source static udp 192.168.2.90 5060 interface BVI1 5060
ip http server
no ip http secure-server
ip classless
ip route 172.17.8.0 255.255.252.0 BVI1
ip route 172.30.32.0 255.255.252.0 BVI1
ip route 192.168.4.0 255.255.255.0 BVI1
!
!
access-list 101 deny   ip 192.168.2.0 0.0.0.255 172.17.8.0 0.0.3.255
access-list 101 deny   ip 192.168.2.0 0.0.0.255 172.30.32.0 0.0.3.255
access-list 101 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp any 192.168.2.0 0.0.0.255
access-list 102 permit icmp 192.168.2.0 0.0.0.255 any
access-list 102 deny   icmp any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 102 permit ip any any
access-list 103 permit ip 192.168.2.0 0.0.0.255 172.17.8.0 0.0.3.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 permit ip 192.168.2.0 0.0.0.255 172.30.32.0 0.0.3.255
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
!
alias exec c configure terminal
alias exec save copy running-config startup-config
alias exec s sh ip interface brief
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 password 7 **PASSWORD**
 logging synchronous
 login
!
ntp clock-period 17208347
ntp server 216.234.161.11
ntp server 67.212.74.220
ntp server 142.137.247.109
ntp server 66.96.30.35
!
end

Thanks

Bizz

 

[Bizounett]

I found this information :

ip nat inside source static v.v.v.v t.t.t.t route-map excludevpn
ip nat outside source static t.t.t.t v.v.v.v

ip access-list extended excludevpnfromnat
deny ip s.s.s.s t.t.t.t
permit ip s.s.s.s v.v.v.v

route-map excludevpn permit 10
match ip address excludevpnfromnat

burtsbees (Programmer)	
2 Feb 09 9:49
The acl for the route map should be

access-list bla deny ip any vpn_subnet(s)
access-list bla permit what_you_want_NATted any

deny from any to vpn_subnet and permit from LAN_subnets to any

If you have any further problems, please post a scrubbed config.

Burt

Is exactly what I need, but instead of the t.t.t.t I have interface BVI1. With interface BVI1 this code not work, someone have an idea please ???

Thanks

 

[burtsbees]

ip nat inside source list 101 int BVI1 over

Tim/aka Burt

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[burtsbees]

FYI, the powerball acl is part of my sig...your fix is the one line

ip nat inside source list 101 int BVI1 over

lol

Crap...hope I don't have to change my sig... : (



ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY