Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
4
Replies

Port forwarding to a inside host over vpn

netrusoff
Level 1
Level 1

‎01-08-2017 12:10 AM - edited ‎03-08-2019 08:49 AM

Hi there! 

I have the following topology       192.168.0.0/24----->ROUTER1(outside_ip1)-----vpn l2l---->(outside_ip2)ROUTER2-----> 192.168.100.0/24

hosts from 192.168.0.0/24 can easily ping hosts from 192.168.100.0/24  

i need to make port forwarding for following scenario - users will connect from internet to ROUTER1 outside_ip1:443 and they sholud get to 192.168.100.3:443

so i make nat rule like this: ip nat inside source static tcp 192.168.100.3 443 outside_ip1 443 

show ip nat translations shows me that translations are well performed but still, users from internet can not get access to 192.168.100.3:443

i tried to ping 192.168.100.3 from ROUTER1 using it's inside interface as a source of icmp and it was succeed, but when i'm tring to ping 192.168.100.3 from ROUTER1 without mentioning source interface ping got fail response(( 

help me please, i can't figure out what is wrong

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎01-08-2017 12:52 AM

Hello,

"i need to make port forwarding for following scenario - users will connect from internet to ROUTER1 outside_ip1:443 and they should get to 192.168.100.3:443"

Who needs to access 192.168.100.3:443, users from the Internet accessing your ROUTER1 first, or internal users from the 192.168.0.0 network ?

Either way, if users from the public Internet need access to 192.168.100.3:443, they wouldn't need to go through ROUTER1, and you could configure the following on ROUTER2:

ip nat outside source static tcp outside_ip2 443 192.168.100.3 443

0 Helpful

netrusoff
Level 1
Level 1
In response to Georg Pauwen

‎01-08-2017 02:15 AM

yeah, i'm understand that it's a bit weird that users have to connect to R1 outside_ip1 to reach 192.168.100.3 but my boss insisted to do it that way. This is because we need to hide the fact that network behind ROUTER1 belongs to our company that nested in 192.168.100.0/24

How can i do that strange port forwarding and why your suggestion "ip nat outside source static tcp outside_ip2 443 192.168.100.3 443" is not working on R1 with outside_ip1?

0 Helpful

blau grana
Level 7
Level 7
In response to netrusoff

‎01-08-2017 02:47 AM

Hi,

How do you know that outside users can't reach 192.168.100.3:443? I mean maybe that can reach it but return traffic is dropped.

Which router is used to reach internet by users in 192.168.100.0/24? R1 or R2?

I would check routing tables if everything looks OK there.

Also do you have ip nat inside on R1's VPN tunnel interface toward R2? 

can you upload configs of both routers?

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

netrusoff
Level 1
Level 1
In response to Georg Pauwen

‎01-08-2017 02:31 AM

anyway thank you for your reply!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card