Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2695
Views
10
Helpful
5
Replies

Port forward and vpn problem

Go to solution
trasmussen1
Level 1
Level 1

‎07-15-2013 05:03 PM - edited ‎03-21-2019 07:34 AM

Looking for some guidence.

I have a L2L between my UC520 to a ASA5505.  Have a good connection between both sites with phones working accross VPN well.

My problem is that when I forward a port from the external wan to our mail server, that port then becomes block on the VPN tunnel. 

For example  SSL nat statement

         

          ip nat inside source static tcp (internal host) 443 (outside interface) extendable

          access-list 104 permit tcp any host (outside interface) eq 443 log

allows port 443 to be open to outside, but Port 443 thru tunnel is unaccessable.  Take those staements out and Outside can't access port but VPN tunnel then has access.  I have the L2L open from network to network (192.68.1.0 --> 192.168.2.0).

I need access on both,  what am I missing? 

Any help would be appreciated.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ibondar
Level 1
Level 1

‎07-19-2013 06:54 AM

Hello Troy,

I beleive you need to add a 'route-map' statement to the static NAT to exclude VPN traffic. Since you have a L2L VPN, you should also have VPN traffic excluded from your general NAT overload, if you use one. Your overload NAT statement may look like:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

If you have a route-map there, you can use a static NAT with the same route-map, like:

ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable

If you inspect the route-map carefully (show run | s route-map), you will see inside an access-list that excludes L2L VPN traffic from the NAT with deny statements and allows NAT for traffic with permit statements. So, we just used this route-map in the static NAT statement to disable the NAT rule for the VPN traffic and keep it just for External->LAN traffic.

If you will need any help with configuration, you can send me a show tech output, so I can give you specific configuration commands for your UC500.

Regards,

Ivan Bondar

View solution in original post

Go to solution
ibondar
Level 1
Level 1
In response to trasmussen1

‎07-23-2013 06:36 PM

Hello Troy,

No, you don't have to delete line 10 from ACL 106, if you will do so you will break your L2L VPN connectivity. All you need to do is to use a static nat statement together with this route-map:

ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable

Regards,

Ivan Bondar

View solution in original post

5 Replies 5

Go to solution
ibondar
Level 1
Level 1

‎07-19-2013 06:54 AM

Hello Troy,

I beleive you need to add a 'route-map' statement to the static NAT to exclude VPN traffic. Since you have a L2L VPN, you should also have VPN traffic excluded from your general NAT overload, if you use one. Your overload NAT statement may look like:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

If you have a route-map there, you can use a static NAT with the same route-map, like:

ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable

If you inspect the route-map carefully (show run | s route-map), you will see inside an access-list that excludes L2L VPN traffic from the NAT with deny statements and allows NAT for traffic with permit statements. So, we just used this route-map in the static NAT statement to disable the NAT rule for the VPN traffic and keep it just for External->LAN traffic.

If you will need any help with configuration, you can send me a show tech output, so I can give you specific configuration commands for your UC500.

Regards,

Ivan Bondar

Go to solution
trasmussen1
Level 1
Level 1
In response to ibondar

‎07-22-2013 06:53 AM

Thanks for the replies,

I am still a bit confused by this.  here is the results of my show run | s route-map:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

route-map SDM_RMAP_1 permit 1

match ip address 106

results of show access-list 106

Extended IP access list 106

    10 deny ip 10.235.235.0 0.0.0.255 10.231.231.0 0.0.0.255 (999881 matches)

    20 deny ip 10.1.10.0 0.0.0.3 10.231.231.0 0.0.0.255 (81 matches)

    30 deny ip 10.1.1.0 0.0.0.255 10.231.231.0 0.0.0.255 (267172 matches)

    40 permit ip 10.235.235.0 0.0.0.255 any (211734 matches Extended IP access list 106
   

My uc520 is on the 10.235 network and my asa5505 is the 10.231 network.

Quote: "If you inspect the route-map carefully (show run | s route-map), you will see inside an access-list that excludes L2L VPN traffic from the NAT with deny statements and allows NAT for traffic with permit statements. So, we just used this route-map in the static NAT statement to disable the NAT rule for the VPN traffic and keep it just for External->LAN traffic"

I don't want it for external only I want to allow internal traffic on those ports also.  Do i just remove the remove the 10 deny statement?

Thanks, Troy

0 Helpful

Go to solution
ibondar
Level 1
Level 1
In response to trasmussen1

‎07-23-2013 06:36 PM

Hello Troy,

No, you don't have to delete line 10 from ACL 106, if you will do so you will break your L2L VPN connectivity. All you need to do is to use a static nat statement together with this route-map:

ip nat inside source static tcp (internal host) 443 (external IP) 443 route-map SDM_RMAP_1 extendable

Regards,

Ivan Bondar

Go to solution
trasmussen1
Level 1
Level 1
In response to ibondar

‎08-14-2013 03:56 PM

Thanks, Ivan

     Once I got my head out of my ****** I figured out what you said. 

Adding "route-map SDM_RMAP_1 extendable" to the end of my statics did the trick.

Thanks again

Troy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents