cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
677
Views
0
Helpful
0
Replies

IPSEC and NAT inside source statement conflict

GW M
Level 1
Level 1

I created an IPSec site-to-site VPN tunnel between two locations on two Cisco 2911 routers. Site A is IP network 192.168.1.1/24 and site B is 192.168.2.0/24. Users at site B access a server 192.168.1.100 port 9000 and 9005, which exists in site A. Everything works great!

 

Now we are trying to allow a host 158.x.x.10 from the Internet to access 192.168.1.100 with port 9000 and 9005 at the same time. We are running into problem when we implement the NAT port mapping statements for the ports 9000 and 9005 to the server 192.168.1.100 from the Internet where the users at site B can't access the server 192.168.0.100 port 9000 and 9005 over the site-to-site VPN tunnel.

 

Any Ideas?

 

crypto map SDM_CMAP_1 1 ipsec-isakmp 
set peer 74.x.x.98
set peer 67.x.x.20
set security-association idle-time 86400
set transform-set ESP_AES 
set isakmp-profile site-to-site
match address 100

!

interface GigabitEthernet0/0

description Outside Internet GigabitEthernet0/0
ip address 74.x.x.98 255.255.255.252
ip access-group 103 in
ip nat outside
crypto map SDM_CMAP_1

 

interface GigabitEthernet0/1
description Inside GigabitEthernet0/1 LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
!

ip nat inside source static tcp 192.168.0.100 9000 interface GigabitEthernet0/0 9000
ip nat inside source static tcp 192.168.0.100 9005 interface GigabitEthernet0/0 9005

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

 

route-map SDM_RMAP_1 permit 1
match ip address 101

 

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip any any log

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!

access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any

!

access-list 103 permit esp host 67.x.x.20 host 74.x.x.98
access-list 103 permit udp host 67.x.x.20 host 74.x.x.98 eq isakmp

access-list 103 permit tcp host 158..x.x.10 host 74.x.x.98 eq 9000

access-list 103 permit tcp host 158..x.x.10 host 74.x.x.98 eq 9005
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit tcp any any eq 7000 log
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip any any

 

GW

0 Replies 0