Solved: NAT issue through VPN tunnel

freeman6351 · ‎04-21-2016

I have the following scenario I need help understanding/resolving:

PC1 is connected to a Cisco router (R1) on LAN 10.254.0.1/24 which has a point to point IPSEC VPN tunnel to another Cisco router (R2) with PC2 on LAN 10.254.1.1/24.

I am able to communicate over TCP 443 from PC1 to PC2 until I add the NAT route below into R2 in order to enable TCP 443 access to PC2 (10.254.1.200) from R2 WAN on outside port 11443:

ip nat inside source static tcp 10.254.1.200 443 61.0.1.2 11443 extendable

With the above NAT route I am able to access PC2 from R2 WAN, but it breaks TCP 443 traffic from PC1 over the VPN tunnel.

How can I get TCP 11443 from R2 WAN to TCP 443 on PC2 while keeping TCP 443 traffic working between PC1 and PC2 over the VPN tunnel? It seems the above NAT rule is holding open port 443?

Thanks for any help/suggestions!

Philip D'Ath · ‎04-21-2016

You need to combine the NAT with a route-map to make it conditional. Something like:

access-list 104 remark Traffic not to NAT Inbound
access-list 104 deny ip 10.254.1.0 0.0.0.255 10.254.0.0 0.0.0.255
access-list 104 permit ip any any

route-map no-nat permit 1
  match ip address 104

ip nat inside source static tcp 10.254.1.200 443 61.0.1.2 11443 route-map no-nat reversible extendable

View solution in original post

Philip D'Ath · ‎04-21-2016

You need to combine the NAT with a route-map to make it conditional. Something like:

access-list 104 remark Traffic not to NAT Inbound
access-list 104 deny ip 10.254.1.0 0.0.0.255 10.254.0.0 0.0.0.255
access-list 104 permit ip any any

route-map no-nat permit 1
  match ip address 104

ip nat inside source static tcp 10.254.1.200 443 61.0.1.2 11443 route-map no-nat reversible extendable