Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2510
Views
10
Helpful
5
Replies

Port forward and vpn problem

Go to solution
trasmussen1
Beginner
Beginner

‎07-15-2013 05:03 PM - edited ‎03-21-2019 07:34 AM

Looking for some guidence.

I have a L2L between my UC520 to a ASA5505.  Have a good connection between both sites with phones working accross VPN well.

My problem is that when I forward a port from the external wan to our mail server, that port then becomes block on the VPN tunnel. 

For example  SSL nat statement

         

          ip nat inside source static tcp (internal host) 443 (outside interface) extendable

          access-list 104 permit tcp any host (outside interface) eq 443 log

allows port 443 to be open to outside, but Port 443 thru tunnel is unaccessable.  Take those staements out and Outside can't access port but VPN tunnel then has access.  I have the L2L open from network to network (192.68.1.0 --> 192.168.2.0).

I need access on both,  what am I missing? 

Any help would be appreciated.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ibondar
Beginner
Beginner

‎07-19-2013 06:54 AM

Hello Troy,

I beleive you need to add a 'route-map' statement to the static NAT to exclude VPN traffic. Since you have a L2L VPN, you should also have VPN traffic excluded from your general NAT overload, if you use one. Your overload NAT statement may look like:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

If you have a route-map there, you can use a static NAT with the same route-map, like:

ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable

If you inspect the route-map carefully (show run | s route-map), you will see inside an access-list that excludes L2L VPN traffic from the NAT with deny statements and allows NAT for traffic with permit statements. So, we just used this route-map in the static NAT statement to disable the NAT rule for the VPN traffic and keep it just for External->LAN traffic.

If you will need any help with configuration, you can send me a show tech output, so I can give you specific configuration commands for your UC500.

Regards,

Ivan Bondar

View solution in original post

Go to solution
ibondar
Beginner
Beginner
In response to trasmussen1

‎07-23-2013 06:36 PM

Hello Troy,

No, you don't have to delete line 10 from ACL 106, if you will do so you will break your L2L VPN connectivity. All you need to do is to use a static nat statement together with this route-map:

ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable

Regards,

Ivan Bondar

View solution in original post

5 Replies 5