Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
207
Views
0
Helpful
3
Replies

Problem reaching internal services over site-to-site while NAT configured

Go to solution
Tommy Svensson
Level 1
Level 1

‎11-26-2014 01:47 AM - edited ‎03-05-2019 12:14 AM

Hi.

I'm having problems reaching internal services over my site-to-site tunnel while they have a NAT configured. 

 

Description:

On site A I have a MSR30 router and behind that I have a web server running sites on port 80 that I have made available externally through NAT.

 

On site B I have a Cisco 1921 router with some clients behind that.

 

Site A and site B have an IPsec site-to-site tunnel set up between them. 

 

Problem:

I can SSH from site B to the server on site A over the tunnel. If I configure a rule in the MSR30 to NAT SSH to the server it becomes available externally but I can't SSH from site B all of a sudden. Same goes for HTTP, if it has a NAT rule it becomes unavailable from site B.

 

What could be the problem here?

 

Kind regards, Tommy

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Tommy Svensson

‎11-26-2014 04:05 AM

The problem-description exactly matches an environment where NAT-exemption is not in place. Parhaps there is something wrong in the order of the NAT-statements? But this HP-problem will probably not be solved in a Cisco-forum ... ;-)

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎11-26-2014 03:04 AM

If you configure NAT, then this translation is done for the server regardless of the destination (Internet or VPN). You need to configure a NAT-exemption that doesn't do NAT when the communication peer is reached through the tunnel, but still does NAT when the peer is a system on the internet.

But as this has to be done on the MSR30, your question is better placed in a HP-forum.

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Karsten Iwen

‎11-26-2014 04:02 AM

I have done the NAT-exemption on both ends to not make traffic destined for the tunnel not go out through NAT.

 

When I ping the DNS-record I've set up it goes locally, over the tunnel and the server answers. It's just when I use the port that I also set up a NAT rule for that it doesn't work. 

 

SSH works fine and goes over the tunnel as long as I don't have a NAT rule set up for port 22 to make it accessible externally.

 

Is there some general rule I'm missing about setting up NAT and site-to-site?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Tommy Svensson

‎11-26-2014 04:05 AM

The problem-description exactly matches an environment where NAT-exemption is not in place. Parhaps there is something wrong in the order of the NAT-statements? But this HP-problem will probably not be solved in a Cisco-forum ... ;-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card