Re: NAT incoming from internet but not VPN Tunnel - Page 2

MikeTomasko · ‎12-17-2006

I have my router setup with 2 NAT commands to forward traffic coming in on certain ports to 2 different servers based on what the port number is. I have this setup so I can VNC into the servers remotely.

ip nat inside source static tcp 172.16.0.17 5959 interface FastEthernet0/1 5959

ip nat inside source static tcp 172.16.0.16 5900 interface FastEthernet0/1 5900

My problem is now I have a VPN tunnel setup from my house to the lab router so when I'm home I'd like to be able to VNC to the servers directly through the VPN tunnel so I don't need those IPs translated when I'm on the VPN tunnel, but I do need them translated when I'm remote, but NOT on the VPN tunnel. Hope that all makes sense! Thanks!!

msubtain · ‎12-17-2006

Hi Mike,

How did you go with that config?

Here is the document which exactly addresses your situation,

Have a look

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml#intro

rate all helping posts

Muhammad

MikeTomasko · ‎12-18-2006

I'm still having no luck. Any more ideas or sample configs to try? I went with that config because I needed to use the static TCP routes to re-route traffic coming in on port 5900 to one inside server and traffic coming in on port 5959 to another server. That was before I had the site to site VPN. Now I'd like to be able to connect to the servers from anywhere using the translation on FA0/1 and from the VPN. But with my current config, it won't allow me to go directly to the server when I'm on the site VPN. Just can connect through the outside internet IP.

msubtain · ‎12-18-2006

Did you try Static nat statement with route map having appropriate entries? go through that link i sent you in my last post it should resolve your problem.

MikeTomasko · ‎12-18-2006

I'm still new to this and learning the hard way. Can you post the config you want me to try? I posted my whole config last night so you can get my ip schem....etc from there. Thanks.

msubtain · ‎12-18-2006

Have a look and add it into your config, it can be summerised further once you understand it.

ip nat inside source static tcp 172.16.0.17 5959 Ext IP address 5959 route-map static1

ip nat inside source static tcp 172.16.0.16 5900 Ext IP address 5900 route-map static2

access-list 131 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255

access-list 131 permit ip host 172.16.0.17 any

access-list 132 deny ip host 172.16.0.16 172.16.1.0 0.0.0.255

access-list 132 permit ip host 172.16.0.16 any

route-map static1 permit 10

match ip address 131

route-map static2 permit 10

match ip address 132

MikeTomasko · ‎12-19-2006

I'll have to do some more testing, but I think you got it! Thanks SO much!!

Could you give me a quick explination on the changes?

Also, my External IP is dynamic. All though I haven't seen it change yet, it's bound to change sometime. Is there any way to write the NAT command so it updates when the External IP changes? That's why I was tying my NAT command to the interface before. I haven't found a way yet to tie a NAT command to an interface nad a route-map. Thanks!

MikeTomasko · ‎12-20-2006

Anyone have any ideas or am I gonna have to just update my NAT statment if/when my IP changes from my ISP? Thanks!

MikeTomasko · ‎12-27-2006

I'm guessing there's no way to do this since nobody has replied? Thanks!