04-21-2016 01:50 PM - edited 03-05-2019 03:51 AM
I have the following scenario I need help understanding/resolving:
PC1 is connected to a Cisco router (R1) on LAN 10.254.0.1/24 which has a point to point IPSEC VPN tunnel to another Cisco router (R2) with PC2 on LAN 10.254.1.1/24.
I am able to communicate over TCP 443 from PC1 to PC2 until I add the NAT route below into R2 in order to enable TCP 443 access to PC2 (10.254.1.200) from R2 WAN on outside port 11443:
ip nat inside source static tcp 10.254.1.200 443 61.0.1.2 11443 extendable
With the above NAT route I am able to access PC2 from R2 WAN, but it breaks TCP 443 traffic from PC1 over the VPN tunnel.
How can I get TCP 11443 from R2 WAN to TCP 443 on PC2 while keeping TCP 443 traffic working between PC1 and PC2 over the VPN tunnel? It seems the above NAT rule is holding open port 443?
Thanks for any help/suggestions!
Solved! Go to Solution.
04-21-2016 02:01 PM
You need to combine the NAT with a route-map to make it conditional. Something like:
access-list 104 remark Traffic not to NAT Inbound
access-list 104 deny ip 10.254.1.0 0.0.0.255 10.254.0.0 0.0.0.255
access-list 104 permit ip any any
route-map no-nat permit 1
match ip address 104
ip nat inside source static tcp 10.254.1.200 443 61.0.1.2 11443 route-map no-nat reversible extendable
04-21-2016 02:01 PM
You need to combine the NAT with a route-map to make it conditional. Something like:
access-list 104 remark Traffic not to NAT Inbound
access-list 104 deny ip 10.254.1.0 0.0.0.255 10.254.0.0 0.0.0.255
access-list 104 permit ip any any
route-map no-nat permit 1
match ip address 104
ip nat inside source static tcp 10.254.1.200 443 61.0.1.2 11443 route-map no-nat reversible extendable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide