I have a single public IP address. Maybe in the near future I will procure multiple public IP addresses so I have more flexibility in my configuration, but for now I am tasked with making this work.
I have forwarded multiple UDP ports to my 3cx PBX using a route map but every time I do it brings down my IPSEC transport protecting my GRE tunnels. I am unsure for the reason of this. Below are some portions of my config.
ip nat inside source list 1 interface FastEthernet0/1 overload
-snipped for brevity-
ip nat inside source static tcp 172.16.1.131 3389 <public> 3389 extendable
ip nat inside source static udp 172.16.1.131 5060 <public> 5060 extendable
ip nat inside source static tcp 172.16.1.131 5090 <public> 5090 extendable
ip nat inside source static udp 172.16.1.131 5090 <public> 5090 extendable
ip nat inside source static 172.16.1.131 <public> route-map PBX
route-map PBX permit 10
match ip address 106
access-list 106 permit udp any any range 9000 9094
When I apply the last static nat statement my IPSEC tunnel will go down.
show crypto session indicates DOWN-NEGOTIATING & I lose my OSPF adjacency.
Edit your ACL 106 to deny traffic between your Public IP (IPsec Peer) and remote end IPSEc Peer.
hopefully this will solve your problem.
Thank you for the reply.
I have changed ACL 106 to the following:
Extended IP access list 106
10 deny ip host
20 deny ip host
30 deny ip any 172.16.254.0 0.0.0.3 <--tunnel point to point link
40 deny ip any 172.16.2.0 0.0.0.255 <--remote networks
50 permit udp any any range 9000 9094
As you can see, sequence 20 is getting matches, but the IPSEC is still down.
I am unsure of the implications of using the route map on the end of that static NAT statement, i.e., what am I telling the router to do? Perhaps uncovering that will help me discover the solution.