07-15-2013 05:03 PM - edited 03-21-2019 07:34 AM
Looking for some guidence.
I have a L2L between my UC520 to a ASA5505. Have a good connection between both sites with phones working accross VPN well.
My problem is that when I forward a port from the external wan to our mail server, that port then becomes block on the VPN tunnel.
For example SSL nat statement
ip nat inside source static tcp (internal host) 443 (outside interface) extendable
access-list 104 permit tcp any host (outside interface) eq 443 log
allows port 443 to be open to outside, but Port 443 thru tunnel is unaccessable. Take those staements out and Outside can't access port but VPN tunnel then has access. I have the L2L open from network to network (192.68.1.0 --> 192.168.2.0).
I need access on both, what am I missing?
Any help would be appreciated.
Solved! Go to Solution.
07-19-2013 06:54 AM
Hello Troy,
I beleive you need to add a 'route-map' statement to the static NAT to exclude VPN traffic. Since you have a L2L VPN, you should also have VPN traffic excluded from your general NAT overload, if you use one. Your overload NAT statement may look like:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
If you have a route-map there, you can use a static NAT with the same route-map, like:
ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable
If you inspect the route-map carefully (show run | s route-map), you will see inside an access-list that excludes L2L VPN traffic from the NAT with deny statements and allows NAT for traffic with permit statements. So, we just used this route-map in the static NAT statement to disable the NAT rule for the VPN traffic and keep it just for External->LAN traffic.
If you will need any help with configuration, you can send me a show tech output, so I can give you specific configuration commands for your UC500.
Regards,
Ivan Bondar
07-23-2013 06:36 PM
Hello Troy,
No, you don't have to delete line 10 from ACL 106, if you will do so you will break your L2L VPN connectivity. All you need to do is to use a static nat statement together with this route-map:
ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable
Regards,
Ivan Bondar
07-19-2013 06:54 AM
Hello Troy,
I beleive you need to add a 'route-map' statement to the static NAT to exclude VPN traffic. Since you have a L2L VPN, you should also have VPN traffic excluded from your general NAT overload, if you use one. Your overload NAT statement may look like:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
If you have a route-map there, you can use a static NAT with the same route-map, like:
ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable
If you inspect the route-map carefully (show run | s route-map), you will see inside an access-list that excludes L2L VPN traffic from the NAT with deny statements and allows NAT for traffic with permit statements. So, we just used this route-map in the static NAT statement to disable the NAT rule for the VPN traffic and keep it just for External->LAN traffic.
If you will need any help with configuration, you can send me a show tech output, so I can give you specific configuration commands for your UC500.
Regards,
Ivan Bondar
07-20-2013 10:51 AM
These articles links might be helpful for you, please do ask if you need more help regarding this .
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=110
http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=109
Thanks
07-22-2013 06:53 AM
Thanks for the replies,
I am still a bit confused by this. here is the results of my show run | s route-map:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
route-map SDM_RMAP_1 permit 1
match ip address 106
results of show access-list 106
Extended IP access list 106
10 deny ip 10.235.235.0 0.0.0.255 10.231.231.0 0.0.0.255 (999881 matches)
20 deny ip 10.1.10.0 0.0.0.3 10.231.231.0 0.0.0.255 (81 matches)
30 deny ip 10.1.1.0 0.0.0.255 10.231.231.0 0.0.0.255 (267172 matches)
40 permit ip 10.235.235.0 0.0.0.255 any (211734 matches Extended IP access list 106
My uc520 is on the 10.235 network and my asa5505 is the 10.231 network.
Quote: "If you inspect the route-map carefully (show run | s route-map), you will see inside an access-list that excludes L2L VPN traffic from the NAT with deny statements and allows NAT for traffic with permit statements. So, we just used this route-map in the static NAT statement to disable the NAT rule for the VPN traffic and keep it just for External->LAN traffic"
I don't want it for external only I want to allow internal traffic on those ports also. Do i just remove the remove the 10 deny statement?
Thanks, Troy
07-23-2013 06:36 PM
Hello Troy,
No, you don't have to delete line 10 from ACL 106, if you will do so you will break your L2L VPN connectivity. All you need to do is to use a static nat statement together with this route-map:
ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable
Regards,
Ivan Bondar
08-14-2013 03:56 PM
Thanks, Ivan
Once I got my head out of my ****** I figured out what you said.
Adding "route-map SDM_RMAP_1 extendable" to the end of my statics did the trick.
Thanks again
Troy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide