cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
403
Views
0
Helpful
3
Replies

Public IP NAT across VPN

orddie234
Level 7
Level 7

Hi All,

I have a cisco UC lab at home which is starting to require public IP access (for video conferencing and expressway).   Thus far i have solved the issue by putting a router at a datacenter, and making use a route-maps DMVPN Combo

This has allowed me to NAT one of the public IP address at the datacenter across the DMVPN tunnel back to my house to a VM.  It's works rather nicely for expressway and exchange 2013.

My issue now is when i try and federate to Microsoft Lync.  I'm not able to get an encrypted SIP TLS connection to there sites.

The reason why i think it's this DMVPN setup is

1) The CoLo provider says they are not blocking anything
2) when i remove the route-maps and send expressway out my local Comcast residential connection, federation works without an issue.  I cant leave it like this for my IP changes often and comcast is known to block ports.

I'm thinking of removing the DMVPN connection and doing an L2 Bridge across an L3 but i'm NOT sure this will work with a dynamic connection on one end. 

so here is my config thus far with DMVPN.

CoLo Router

crypto isakmp policy 1
authentication pre-share
crypto isakmp key <Password> address 0.0.0.0

crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile Orddie
set transform-set trans2

interface GigabitEthernet0/0
description Link to network
ip address <Public> Ip
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
media-type rj45
end

interface Tunnel10
bandwidth 1000
ip address 10.255.255.1 255.255.255.0
ip mtu 1400
ip nhrp authentication <Password>
ip nhrp map multicast dynamic
ip nhrp network-id 1006985
ip nhrp holdtime 600
ip ospf network broadcast
ip ospf priority 2
delay 1000
tunnel source gi0/0
tunnel mode gre multipoint
tunnel key 100698
tunnel protection ipsec profile Orddie

Doing a sh ip nat trans | sec 10.0.1.254 i see the connection going out from the datacenter where 10.0.1.254 is the outside interface of expressway edge (the host trying to talk on the internet)

tcp <Public IP>:27054 10.0.1.254:27054 52.112.67.51:5061 52.112.67.51:5061

on the house side i have the following

crypto isakmp policy 1
authentication pre-share
crypto isakmp key <Password> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto ipsec profile Orddie
set transform-set trans2
!
interface Tunnel10
bandwidth 1000
ip address 10.255.255.4 255.255.255.0
ip mtu 1400
ip nhrp authentication <Password>
ip nhrp map multicast <CoLo IP>
ip nhrp map 10.255.255.1 199.168.140.226
ip nhrp network-id 1006985
ip nhrp holdtime 300
ip nhrp nhs 10.255.255.1
ip ospf network broadcast
ip ospf priority 0
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100698
tunnel protection ipsec profile Orddie

interface GigabitEthernet0/1
description ComCast!
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

interface GigabitEthernet0/0.171
encapsulation dot1Q 171
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map DataCenterBound

route-map DataCenterBound permit 10
match ip address DataCenterBound
set ip next-hop 10.255.255.1

ip access-list extended DataCenterBound
deny ip host 172.16.40.4 any
deny ip host 172.16.40.3 any
deny ip host 172.16.40.254 any
deny ip host 172.16.40.6 any
deny ip host 172.16.40.7 any
deny ip host 172.16.40.8 any
deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip any any

3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

You haven't got an "ip nat inside" on Tunnel10 on the CoLo router.  You also don't show your NAT configuration.

Does this use port 5060 as well?  If so, try adding to the NATing router:

no ip nat service sip udp port 5060

This is on the Datacenter router. 

ip nat inside source static tcp 10.0.1.2 80 <Public IP A> 80 extendable

ip nat inside source static 10.0.1.253 <Public IP B>

ip nat inside source static tcp 10.0.1.3 25 1 <Public IP C> 25 extendable

ip nat inside source static tcp 10.0.1.2 53 <Public IP C> 53 extendable

ip nat inside source static udp 10.0.1.2 53 <Public IP C> 53 extendable

ip nat inside source static tcp 10.0.1.10 443 <Public IP C> 443 extendable

ip nat inside source static 10.0.1.3  <Public IP C>

ip nat inside source static 10.0.1.254 <Public IP D> extendable

ip nat inside source static tcp 10.0.1.2 53 <Public IP E> 53 extendable

ip nat inside source static 10.0.1.2 <Public IP E>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: