Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN can't access local IP with Port

Status
Not open for further replies.

flopeedo

Programmer
Sep 30, 2011
23
US
My VPN network 172.16.2.x can't access any of the local PCs that have port forwarding. Inside can access these just fine, but my VPN network can't.

for example

my pc at 172.16.2.50 can ping 10.94.62.67 just fine, but if I open a web browser and try to go to 10.94.62.67:9080 it says page can't be displayed. The other networks inside the office can access it with no problems.

I am sure I am missing some sort of access list statement, but i can't find which one.

my config is below:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
crypto isakmp keepalive 30 30
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group iptel
key 1234567890
pool SDM_POOL_1
acl remote
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly in
ip policy route-map vpn
!
interface Embedded-Service-Engine0/0
ip address 10.10.10.5 255.255.255.0
!
interface GigabitEthernet0/0
ip address 50.50.50.5 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
ip address 10.24.62.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.62
encapsulation dot1Q 62
ip address 10.94.62.65 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.111
encapsulation dot1Q 111
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
ip local pool SDM_POOL_1 172.16.2.50 172.16.2.99
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.24.62.207 80 50.50.50.5 80 extendable
ip nat inside source static tcp 10.24.62.201 444 50.50.50.5 444 extendable
ip nat inside source static tcp 10.94.62.67 9080 50.50.50.5 9080 extendable
ip nat inside source static tcp 10.94.62.67 9082 50.50.50.5 9082 extendable
ip nat inside source static tcp 10.24.62.204 20 50.50.50.5 20 extendable
ip nat inside source static tcp 10.24.62.204 21 50.50.50.5 21 extendable
ip nat inside source static tcp 10.24.62.204 22 50.50.50.5 22 extendable
ip nat inside source static tcp 10.24.62.204 80 50.50.50.5 80 extendable
ip nat inside source static tcp 10.24.62.204 443 50.50.50.5 443 extendable
ip nat inside source static 10.24.62.204 50.50.50.5 extendable
ip nat outside source static 50.50.50.5 10.94.62.65 extendable
ip route 0.0.0.0 0.0.0.0 50.50.50.4
ip route 172.16.2.0 255.255.255.0 Loopback0
ip route 192.168.5.0 255.255.255.0 Loopback0
!
ip access-list extended NAT
remark SDM_ACL Catergory=2
deny ip 10.94.62.0 0.0.0.255 172.16.2.0 0.0.0.255
deny ip 10.94.62.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 10.24.62.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 172.16.2.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
deny ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
deny ip 10.24.62.0 0.0.0.255 172.16.2.0 0.0.0.255
permit ip any any
ip access-list extended remote
remark SDM_ACL Category=4
permit ip 10.94.62.0 0.0.0.255 any
permit ip 10.24.62.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any
!
access-list 150 permit ip host 1.1.1.1 172.16.2.0 0.0.0.255
access-list 150 permit ip host 1.1.1.1 192.168.5.0 0.0.0.255
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address NAT
 
Can you confirm that the router first has IP connectivity to both the client and the web server (eg: ping tests)? If so, when attempting that example session you described, do you see any bindings for that server address if you do a "show ip nat translations", to confirm the port mappings are in place?

Also, are you intending to define what traffic should be ciphered between your VPN endpoints? I notice the cryptomap doesn't associate any ACL there. Can you confirm the working operation of your IPSec tunnel in general?

CCNP, CCDP, CCIP
Core Network Planner, ISP
 
My port mappings are in place. When I do a show IP nat Translations a get a large output...

My crypto map is associated to a ACL. It goes to the access list remote

crypto isakmp client configuration group iptel
key 1234567890
pool SDM_POOL_1
acl remote

ip access-list extended remote
remark SDM_ACL Category=4
permit ip 10.94.62.0 0.0.0.255 any
permit ip 10.24.62.0 0.0.0.255 any
permit ip 10.1.1.0 0.0.0.255 any

Again i can ping every device on the LAN (ping 10.94.62.67, no problems) from my VPN connection. Its just when I try to access 10.94.62.67:9080 is when it fails.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top