Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
1
Replies

Port forwarded services not accessible over VPN

bluestreak66
Level 1
Level 1

‎04-05-2015 05:38 PM - edited ‎03-05-2019 01:10 AM

I have an issue with multiple routers where a port is forwarded for an internal service, that service it no longer accessible across the vpn tunnels. 

Here is the part of my config in question showing one of the port forwards:

ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.14.0.20 8081 interface GigabitEthernet0/1 8081
!
ip access-list extended From_External
 deny   ip host 255.255.255.255 any
 deny   ip 10.14.0.0 0.0.255.255 any
 permit ip *.*.*.* 0.0.0.7 any
 permit ip host *.*.*.* any
 permit ip host *.*.*.* any
 permit ip host *.*.*.* any
 permit tcp any any eq 8081
 permit tcp any any eq 22
 permit tcp any any eq telnet
 permit udp any any eq bootpc
 deny   ip any any
ip access-list extended VPN-TRAFFIC
 permit ip 10.14.0.0 0.0.255.255 192.168.1.0 0.0.0.255
 permit ip 10.14.0.0 0.0.255.255 10.27.0.0 0.0.255.255
 permit ip 10.14.0.0 0.0.255.255 10.40.40.0 0.0.0.255
 permit ip 10.14.0.0 0.0.255.255 10.7.0.0 0.0.0.255
 permit ip 10.40.40.0 0.0.0.255 10.7.0.0 0.0.0.255
 permit ip 10.7.0.0 0.0.0.255 10.40.40.0 0.0.0.255
!
access-list 100 remark ~ Define NAT Traffic to Gi 0/0 - WAN ~
access-list 100 deny   ip 10.14.0.0 0.0.255.255 10.40.40.0 0.0.0.255
access-list 100 deny   ip 10.14.0.0 0.0.255.255 10.27.0.0 0.0.255.255
access-list 100 deny   ip 10.14.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 10.14.0.0 0.0.255.255 10.7.0.0 0.0.0.255
access-list 100 deny   ip 10.40.40.0 0.0.0.255 10.7.0.0 0.0.0.255
access-list 100 deny   ip 10.7.0.0 0.0.0.255 10.40.40.0 0.0.0.255
access-list 100 permit ip 10.14.0.0 0.0.255.255 any

It has to do with the port forward rule:

"ip nat inside source static tcp 10.14.0.20 8081 interface GigabitEthernet0/1 8081"

With the rule in place I can access it externally but not over the vpn, without the rule access across the vpn is fine but no external access.

Labels:
0 Helpful
1 Reply 1

bluestreak66
Level 1
Level 1

‎04-06-2015 06:09 PM

I found the answer I was looking for in another post. I needed to add a route map to the end of the port forward rule: 

ip nat inside source static tcp 10.14.0.20 8081 50.81.220.129 8081 route-map 100 extendable

However it only allows for a ip address to be specified and not an interface, which make it tricky with a dynamic ip. If anyone knows of a solution please let me know.

0 Helpful
Customers Also Viewed These Support Documents