Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1043
Views
0
Helpful
3
Replies

Cisco NAT question

Go to solution
sslack031
Level 1
Level 1

‎12-11-2014 07:26 AM - edited ‎03-07-2019 09:51 PM

Hi All,

 

I've configured NAT on a Cisco 1921 router. I've configured port 25 to be forwarded to a mail server however, when I connect a site using a site to site IPsec vpn everything works besides the ports that I have NAT'd in.

 

ip nat pool WIGAN 22.22.22.154 22.22.22.158 netmask 255.255.255.248
ip nat inside source list 98 pool WIGAN overload
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.245 443 22.22.22.156 443 extendable
ip nat inside source static tcp 192.168.1.241 25 22.22.22.157 25 extendable
ip nat inside source static tcp 192.168.1.241 80 22.22.22.157 80 extendable
ip nat inside source static tcp 192.168.1.241 143 22.22.22.157 143 extendable
ip nat inside source static tcp 192.168.1.241 443 22.22.22.157 443 extendable
ip nat inside source static tcp 192.168.1.241 993 22.22.22.157 993 extendable
ip nat inside source static tcp 192.168.1.247 443 22.22.22.158 443 extendable
ip nat inside source static tcp 192.168.1.247 3389 22.22.22.158 3389 extendable
 

access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any

 

can anyone shed any light on this?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-11-2014 08:41 AM

Check this link, specifically the R3 configuration.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-11-2014 08:41 AM

Check this link, specifically the R3 configuration.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html

0 Helpful

Go to solution
sslack031
Level 1
Level 1
In response to Collin Clark

‎12-11-2014 08:49 AM

Hi Colin,

Thanks for the reply,

So to confirm if i amend the following line:

ip nat inside source static tcp 192.168.1.241 25 22.22.22.157 25 extendable

to

ip nat inside source static tcp 192.168.1.241 25 22.22.22.157 25 route-map nonat

and then add a route-map in to include all the ip addresses i don't want nat to touch.

i.e

access-list 150 deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 150

Would that work?

0 Helpful

Go to solution
Ryan Curry
Level 1
Level 1

‎12-11-2014 08:49 AM

Hi sslack, I'm a little confused by the situation.  Are you NATing across the VPN or are you NATing on the outside interface coming in?  It sounds like you're doing a Site-to-Site with a NAT in place?  If it's a site-to-site, what does the crypto map look like?

0 Helpful
Customers Also Viewed These Support Documents