l2tp (ipsec)+accessing natted (cisco) resource(port forward)
Posted: Thu Jan 24, 2013 9:42 pm
Hi,
I've configured my RB exactly like in this Greg sowel's video
http://www.youtube.com/watch?v=OBlUaZw9uNU
it's L2TP(IPSec) + windows 7 configuration
it's working fine.. I get address from vpn pool, I have access to local resources, but I have few questions...
- is it possible to send l2tp client only certain routes ? I wanted to achieve sth like cisco's ezvpn with split tunneling.. (accessing only local resources, not encrypting whole connection and going to internet through my vpn) I've tried setting up routes in ppp secrets, but it didn't work..
- I wanted this vpn, cause from that public IP I have access to our client devices.. (that cisco device doesn't have image supporting ezvpn) so simply there's ACL passing our public address and static nat to ports (port forwarding).. so... I can access this cisco router through ssh - direct connection is working fine, but I cannot access hosts that are natted (ip nat inside source static tcp ...) why ?
I can see in my MT firewall/connections :
- my private ip (obtained from MT vpn pool) is nated on MT and then connection is made to cisco's public IP - tcp established
#MT:
ip firewall connection print
2 SA tcp 10.1.200.123:52575 X.X.X.X:22 established 43m2s
#cisco :
show tcp brief numeric
TCB Local Address Foreign Address (state)
31EE3BCC X.X.X.X.22 Y.Y.Y.Y.52575 ESTAB
#####
but for open ports on that device (port forwarding) it stays at tcp sent state :
ip firewall connection print
16 tcp 10.1.200.123:52807 X.X.X.X:8443 syn-sent 1s
17 tcp 10.1.200.123:52808 X.X.X.X:8443 syn-sent 1s
cisco#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp X.X.X.X:8443 Z.Z.Z.Z:8443 Y.Y.Y.Y:52807 Y.Y.Y.Y:52807
tcp X.X.X.X:8443 Z.Z.Z.Z:8443 Y.Y.Y.Y:52808 Y.Y.Y.Y:52808
legend:
X.X.X.X - cisco public IP address
Y.Y.Y.Y - MT public IP address
Z.Z.Z.Z - private inside (behind cisco) IP address
why is so ?
I've configured my RB exactly like in this Greg sowel's video
http://www.youtube.com/watch?v=OBlUaZw9uNU
it's L2TP(IPSec) + windows 7 configuration
it's working fine.. I get address from vpn pool, I have access to local resources, but I have few questions...
- is it possible to send l2tp client only certain routes ? I wanted to achieve sth like cisco's ezvpn with split tunneling.. (accessing only local resources, not encrypting whole connection and going to internet through my vpn) I've tried setting up routes in ppp secrets, but it didn't work..
- I wanted this vpn, cause from that public IP I have access to our client devices.. (that cisco device doesn't have image supporting ezvpn) so simply there's ACL passing our public address and static nat to ports (port forwarding).. so... I can access this cisco router through ssh - direct connection is working fine, but I cannot access hosts that are natted (ip nat inside source static tcp ...) why ?
I can see in my MT firewall/connections :
- my private ip (obtained from MT vpn pool) is nated on MT and then connection is made to cisco's public IP - tcp established
#MT:
ip firewall connection print
2 SA tcp 10.1.200.123:52575 X.X.X.X:22 established 43m2s
#cisco :
show tcp brief numeric
TCB Local Address Foreign Address (state)
31EE3BCC X.X.X.X.22 Y.Y.Y.Y.52575 ESTAB
#####
but for open ports on that device (port forwarding) it stays at tcp sent state :
ip firewall connection print
16 tcp 10.1.200.123:52807 X.X.X.X:8443 syn-sent 1s
17 tcp 10.1.200.123:52808 X.X.X.X:8443 syn-sent 1s
cisco#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp X.X.X.X:8443 Z.Z.Z.Z:8443 Y.Y.Y.Y:52807 Y.Y.Y.Y:52807
tcp X.X.X.X:8443 Z.Z.Z.Z:8443 Y.Y.Y.Y:52808 Y.Y.Y.Y:52808
legend:
X.X.X.X - cisco public IP address
Y.Y.Y.Y - MT public IP address
Z.Z.Z.Z - private inside (behind cisco) IP address
why is so ?