Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
4
Replies

Port forwarding from Internet hosts - but not from hosts over VPN

Go to solution
markmilenkovic
Level 1
Level 1

‎06-20-2011 03:21 AM - edited ‎03-04-2019 12:45 PM

Hi all.

OK - I have a server that I need to be seen from the outside world - I set up NAT and it worked fine.....but it broke communication from clients from a site on the site-to-site VPN....

so basically this router sits in our Moscow office and has a couple of site-to-site VPNs to sites in the UK.....traffic from these sites passes normally. Now when I create a static NAT rule to forward a specific port on anything connecting to the external interface to forward to the server internally it breaks communication from clients on any of the site to site VPNs - but does start port forwarding from Internet hosts.

What can I do to accomplish this kind of NAT/port forwarding so that it works for hosts on the Internet and hosts from site-to-site VPN's??

many thanks,

Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎06-20-2011 03:48 AM

The solution would be Policy Based NAT.

You attach an ACL to the NAT statement - you denfine a "deny" for the internal remote L2L clients, and a permit for everything else.

HTH>

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andrew.prince
Level 10
Level 10

‎06-20-2011 03:48 AM

The solution would be Policy Based NAT.

You attach an ACL to the NAT statement - you denfine a "deny" for the internal remote L2L clients, and a permit for everything else.

HTH>

0 Helpful

Go to solution
markmilenkovic
Level 1
Level 1
In response to andrew.prince

‎06-20-2011 04:05 AM

Hi

Thanks for that - I thought that might be the answer

i've defined my ACL.....but how do I attach this in my NAT statement

my NAT statement which I have been using (the one that breaks it over the VPN) is:

ip nat inside source static tcp 192.168.106.1 1352 interface GigabitEthernet0/0 1352

what do I do to make it use the ACL?

0 Helpful

Go to solution
markmilenkovic
Level 1
Level 1
In response to markmilenkovic

‎06-20-2011 07:16 AM

Done it.....

ok so you were right but it has to be applied using a route-map - this explains it further

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

thanks for help

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to markmilenkovic

‎06-20-2011 08:35 AM

np - glad to help.

0 Helpful
Customers Also Viewed These Support Documents