cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
963
Views
0
Helpful
4
Replies
Highlighted

Static NAT multiple UDP ports brings down IPSEC Tunnel

I have a single public IP address. Maybe in the near future I will procure multiple public IP addresses so I have more flexibility in my configuration, but for now I am tasked with making this work.

I have forwarded multiple UDP ports to my 3cx PBX using a route map but every time I do it brings down my IPSEC transport protecting my GRE tunnels. I am unsure for the reason of this. Below are some portions of my config.

ip nat inside source list 1 interface FastEthernet0/1 overload

-snipped for brevity-

ip nat inside source static tcp 172.16.1.131 3389 <public> 3389 extendable

ip nat inside source static udp 172.16.1.131 5060 <public> 5060 extendable

ip nat inside source static tcp 172.16.1.131 5090 <public> 5090 extendable

ip nat inside source static udp 172.16.1.131 5090 <public> 5090 extendable

ip nat inside source static 172.16.1.131 <public> route-map PBX

route-map PBX permit 10

match ip address 106

access-list 106 permit udp any any range 9000 9094

When I apply the last static nat statement my IPSEC tunnel will go down.

show crypto session indicates DOWN-NEGOTIATING & I lose my OSPF adjacency.

Any ideas?

Everyone's tags (4)
4 REPLIES 4

Static NAT multiple UDP ports brings down IPSEC Tunnel

Hi,

Edit your ACL 106 to deny traffic between your Public IP (IPsec Peer) and remote end IPSEc Peer.

hopefully this will solve your problem.

HTH.

Static NAT multiple UDP ports brings down IPSEC Tunnel

Syed,

Thank you for the reply.

I have changed ACL 106 to the following:

Extended IP access list 106

    10 deny ip host host

    20 deny ip host host (132 matches)

    30 deny ip any 172.16.254.0 0.0.0.3 <--tunnel point to point link

    40 deny ip any 172.16.2.0 0.0.0.255 <--remote networks

    50 permit udp any any range 9000 9094

As you can see, sequence 20 is getting matches, but the IPSEC is still down.

I am unsure of the implications of using the route map on the end of that static NAT statement, i.e., what am I telling the router to do? Perhaps uncovering that will help me discover the solution.

Regards

Static NAT multiple UDP ports brings down IPSEC Tunnel

Hi Evan,

Please post the entire configuratoin.

thank you.

Static NAT multiple UDP ports brings down IPSEC Tunnel

Syed,

http://pastebin.com/AwrYVn6a

Thanks again for looking.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards