Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2037
Views
0
Helpful
4
Replies

Adding NAT for Internet users, breaks VPN user access

swiftsoft
Level 1
Level 1

‎10-21-2021 08:40 AM

Hi,

 

I have a VPN from head office to remote office as follows:

 

Head office: 10.10.10.0/24   - Cisco ASA 5508

Remote office: 10.10.20.0/24   - Cisco 887 router

 

Currently users print from a server 10.10.10.15 to a printer 10.10.20.70 using tcp port 9101

We have a new required to allow 3 Internet IP address access to the same printer using port 65001 

 

When I add the line below to the remote office router, I can no longer 'telnet 10.10.20.70 9101' from head office server 10.10.10.15

 

ip nat inside source static tcp 10.10.20.70 9101 interface Dialer1 65001

 

What I am doing wrong?

I assume I need to exclude the 10.10.10.0/24 network from the above NAT statement, but I don't know how to.

 

Thank you

Keith

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎10-21-2021 09:14 AM

Hello,

 

with this line:

 

--> ip nat inside source static tcp 10.10.20.70 9101 interface Dialer1 65001

 

all traffic for the TCP port and IP address go out to the Internet. Indeed you need to configure NAT exemptions on both sides.

 

Can you post the configs of both the ASA and the 887 router ?

0 Helpful

swiftsoft
Level 1
Level 1
In response to Georg Pauwen

‎10-21-2021 09:41 AM

Hi Georg,

 

I have posted below the 887 router config. The ASA should be fine, as it works again if I remove the:

 

ip nat inside source static tcp 10.10.20.70 9101 interface Dialier1 65001 

 

from the 887. 

 

Thank you for having a look at this.

 

Regards,

Keith

 

887 config:

 

!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
ethernet lmi ce
!
ip dhcp excluded-address 10.10.20.70 10.10.20.254
!
ip dhcp pool LAN
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
dns-server 10.10.10.10 10.10.10.11
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn REMOVED
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 180 periodic
!
crypto isakmp peer address REMOVED
set aggressive-mode password REMOVED
set aggressive-mode client-endpoint user-fqdn REMOVED
!
crypto isakmp peer address REMOVED
set aggressive-mode password REMOVED
set aggressive-mode client-endpoint user-fqdn REMOVED
!
!
crypto ipsec transform-set HQset esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map HQmap 10 ipsec-isakmp
set peer REMOVED
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set HQset
match address 102
crypto map HQmap 20 ipsec-isakmp
set peer REMOVED
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set HQset
match address 103
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
atm vc-per-vp 128
no atm ilmi-keepalive
pvc 0/38
oam-pvc 0
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 3
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface Vlan1
ip address 10.10.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.2.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname REMOVED
ppp chap password REMOVED
crypto map HQmap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.9 3388 interface Dialer1 3388
ip nat inside source static tcp 192.168.0.9 5611 interface Dialer1 5611
ip nat inside source static tcp 192.168.0.9 5552 interface Dialer1 5552
ip nat inside source static tcp 192.168.0.9 5553 interface Dialer1 5553
ip nat inside source static tcp 10.10.20.230 22 interface Dialer1 22
ip nat inside source static tcp 10.10.20.70 9101 interface Dialer1 65001
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip sla 100
icmp-echo 10.10.10.250 source-interface Vlan1
ip sla schedule 100 life forever start-time now
ip sla 101
icmp-echo 10.10.60.2 source-interface Vlan1
ip sla schedule 101 life forever start-time now
ip sla 102
icmp-echo 10.10.200.67 source-interface Vlan1
ip sla schedule 102 life forever start-time now
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.60.0 0.0.0.255
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 101 permit ip 10.2.20.0 0.0.0.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 102 permit ip 10.2.20.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 103 permit ip 10.10.20.0 0.0.0.255 10.10.60.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password REMOVED
login
transport input all
!
scheduler allocate 20000 1000
ntp server 109.74.206.120
!

0 Helpful

swiftsoft
Level 1
Level 1
In response to Georg Pauwen

‎10-21-2021 01:00 PM

Hi Georg,

 

Below is the config from the 887 branch office router.

 

The head office ASA should be fine, as I have not changed anything there. If I remove the 

ip nat inside source static tcp 10.10.20.70 9101 interface Dialer1 65001

 

the printing from head office is restored.

 

Thank you for having a look at this issue.

 

Regards

Keith

 

!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
no aaa new-model
ethernet lmi ce
!
ip dhcp excluded-address 10.10.20.70 10.10.20.254
!
ip dhcp pool LAN
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
dns-server 10.10.10.10 10.10.10.11
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn REMOVED
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 180 periodic
!
crypto isakmp peer address REMOVED
set aggressive-mode password REMOVED
set aggressive-mode client-endpoint user-fqdn REMOVED
!
crypto isakmp peer address REMOVED
set aggressive-mode password REMOVED
set aggressive-mode client-endpoint user-fqdn REMOVED
!
!
crypto ipsec transform-set HQset esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map HQmap 10 ipsec-isakmp
set peer REMOVED
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set HQset
match address 102
crypto map HQmap 20 ipsec-isakmp
set peer REMOVED
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set HQset
match address 103
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
atm vc-per-vp 128
no atm ilmi-keepalive
pvc 0/38
oam-pvc 0
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 3
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface Vlan1
ip address 10.10.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.2.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname REMOVED
ppp chap password REMOVED
crypto map HQmap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.9 3388 interface Dialer1 3388
ip nat inside source static tcp 192.168.0.9 5611 interface Dialer1 5611
ip nat inside source static tcp 192.168.0.9 5552 interface Dialer1 5552
ip nat inside source static tcp 192.168.0.9 5553 interface Dialer1 5553
ip nat inside source static tcp 10.10.20.230 22 interface Dialer1 22
ip nat inside source static tcp 10.10.20.70 9101 interface Dialer1 65001
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip sla 100
icmp-echo 10.10.10.250 source-interface Vlan1
ip sla schedule 100 life forever start-time now
ip sla 101
icmp-echo 10.10.60.2 source-interface Vlan1
ip sla schedule 101 life forever start-time now
ip sla 102
icmp-echo 10.10.200.67 source-interface Vlan1
ip sla schedule 102 life forever start-time now
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.60.0 0.0.0.255
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 101 permit ip 10.2.20.0 0.0.0.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 102 permit ip 10.2.20.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 103 permit ip 10.10.20.0 0.0.0.255 10.10.60.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password REMOVED
login
transport input all
!
scheduler allocate 20000 1000
ntp server 109.74.206.120
!

0 Helpful

swiftsoft
Level 1
Level 1
In response to Georg Pauwen

‎10-21-2021 04:37 PM

My reply keeps getting deleted!

 

The 887 config is below. I have removed public IP addresses and passwords.

 

!
ip dhcp excluded-address 10.10.20.70 10.10.20.254
!
ip dhcp pool LAN
network 10.10.20.0 255.255.255.0
default-router 10.10.20.254
dns-server 10.10.10.10 10.10.10.11
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
controller VDSL 0
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 180 periodic
!
crypto isakmp peer address REMOVED
set aggressive-mode password REMOVED
set aggressive-mode client-endpoint user-fqdn REMOVED
!
crypto isakmp peer address REMOVED
set aggressive-mode password REMOVED
set aggressive-mode client-endpoint user-fqdn REMOVED
!
!
crypto ipsec transform-set HQset esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map HQmap 10 ipsec-isakmp
set peer REMOVED
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set HQset
match address 102
crypto map HQmap 20 ipsec-isakmp
set peer REMOVED
set security-association lifetime kilobytes disable
set security-association lifetime seconds 28800
set transform-set HQset
match address 103
!
!
!
!
!
!
interface ATM0
no ip address
shutdown
atm vc-per-vp 128
no atm ilmi-keepalive
pvc 0/38
oam-pvc 0
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.101
encapsulation dot1Q 101
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 3
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface Vlan1
ip address 10.10.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.2.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan3
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname REMOVED
ppp chap password REMOVED
crypto map HQmap
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.9 3388 interface Dialer1 3388
ip nat inside source static tcp 192.168.0.9 5611 interface Dialer1 5611
ip nat inside source static tcp 192.168.0.9 5552 interface Dialer1 5552
ip nat inside source static tcp 192.168.0.9 5553 interface Dialer1 5553
ip nat inside source static tcp 10.10.20.230 22 interface Dialer1 22
ip nat inside source static tcp 10.10.20.70 9101 interface Dialer1 65001
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.60.0 0.0.0.255
access-list 101 deny ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 101 permit ip 10.2.20.0 0.0.0.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.20.0 0.0.0.255 10.10.200.0 0.0.0.255
access-list 102 permit ip 10.2.20.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 103 permit ip 10.10.20.0 0.0.0.255 10.10.60.0 0.0.0.255
!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card