Hi Mark,
I've tried your solution on a Cisco Router-891F IOS ver 15.7 but, it doesn't work - Below is copy of my config -
Let me know your thoughts please.
- So i have NAT overload on my wan interface
- Requirement: Need to add static nat entries from an outside SIP server to an internal PBX server for sip traffic and provider's management purposes.
ip access-list extended SIP-ACL
remark Allow NAT from Outside_Provider-to-Inside_PBX
permit udp host 192.168.168.168 host 2.2.2.2 eq 5060
permit udp host 192.168.168.168 host 2.2.2.2 range 21000 24999
permit tcp host 192.168.168.168 host 3.3.3.3 eq 8080
permit tcp host 192.168.168.168 host 3.3.3.3 eq 7117
permit tcp host 192.168.168.168 host 3.3.3.3 eq 3306
permit tcp host 192.168.168.168 host 3.3.3.3 range 7100 7156
deny ip any any log
route-map Test-MAP permit 10
match ip address SIP-ACL
ip nat inside source static 192.168.168.168(Local IP) 1.1.1.1(WAN IP) route-map Test-Map extendable
Problem:
- The moment i apply the above static nat with the route-map, my outbound GRE/ESP traffic gets filtered by the Route-MAP Test-MAP "SIP-ACL" which blocks GRE/ESP hence bringing all my Tunnels down.
- GRE/ESP/UDP iskamp is allowed on the inbound ACL on the WAN interface which is receiving the GRE traffic but the same traffic gets filtered on the way out towards the VPN-Headends via the SIP-ACL which is referenced by the Route-map Test-MAP.
