Solved: VPN and port forwarding issue

genseb13011 · ‎03-18-2011

Hi,

I've configured a VPN (IPSec) between 2 sites on Cisco 881-K9.

The server "A", which have the address 192.168.0.X must be reachable on port 80, 8080 and 90 from public network.

I've configured forwarding ports with the command:

ip nat inside source static TCP 192.168.0.X 90 interface fastethernet 4 90

ip nat inside source static TCP 192.168.0.X 80 interface fastethernet 4 80

ip nat inside source static TCP 192.168.0.X 8080 interface fastethernet 4 8080

The server is reachable from outside, from the site in which it is located.

But there is an issue with the second site:

I can ping the server with its local address 192.168.0.X
But when i try to open an Web page, which using port 80 or 8080 or 90 , the server seems unreachable

It seems that the issue is due to the port forwarding because when i delete the port forwarding configuration there is no more issue on the second site.

Thanks for your help

Federico Coto Fajardo · ‎03-18-2011

Hi,

You need conditional NAT.
When you want Port Forwarding to work just for some traffic, for example when accessing the server from the Internet
but not for traffic coming through VPN you can add a route-map to the end.

So,
ip nat inside source static TCP 192.168.0.X xx PUBLIC_IP 4 xx route-map VPN

The route-map tells when is this NAT going to happen.
It's going to happen always but when traffic is coming from the VPN.

Now... the problem is that you can add a route-map when you have a Port forwarding rule to an IP (not an interface).

Anyway, give it a try and let us know.

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-18-2011

Hi,

You need conditional NAT.
When you want Port Forwarding to work just for some traffic, for example when accessing the server from the Internet
but not for traffic coming through VPN you can add a route-map to the end.

So,
ip nat inside source static TCP 192.168.0.X xx PUBLIC_IP 4 xx route-map VPN

The route-map tells when is this NAT going to happen.
It's going to happen always but when traffic is coming from the VPN.

Now... the problem is that you can add a route-map when you have a Port forwarding rule to an IP (not an interface).

Anyway, give it a try and let us know.

Federico.

genseb13011 · ‎03-23-2011

Thanks a lot for your answer!

It works perfectly!

icemannz01 · ‎08-24-2011

Hi, I am having the same problem as mentioned here so I have tried to do the fix that is described but I cannot get the route-map command to work.

could someone please put up an example of how this should work.

I have tried the following

ip nat inside source static tcp 192.168.56.1 443 x.x.x.x 443 route-map VPN

access-list 107 deny ip 192.168.20.0 0.0.0.255 any

access-list 107 permit ip any any

route-map VPN permit 10

match ip address 107

set interface Dialer0

But the outcome is that then the port forwarding does not work from the outside or when going through the VPN.

athukral · ‎08-24-2011

Hello Sebastien,

Hope you must be doing fine!

Well please mark the query answered and rate the same, if you got the information you were looking for.

Thanks

Ankur Thukral

Community Manager- Security & VPN

athukral@cisco.com

Hadicph · ‎03-02-2018

I have successfully estaplished vpn on my computer but was unable to port forward and establish connection from outside can you explain the process again please.

a.maldonado · ‎09-11-2018

Hi Federico,

I have a similar problem and searching the Internet for an answer I found your post, which may provide an answer to my problem.

The scenario is, I have a router facing the ISP. This router terminates various, about 8 IPSec VPNs, from other sites. At the same time, I need to configure port forwarding in this router to send AnyConnect VPN clients to authenticate with the VPN server, which is an ASA firewall behind the router. The problem is, AnyConnect uses IPSec as well and therefore, the port forwarding command stops the IPSec to other sites from forming because both use port 500.

You answer in this post suggests that I could selectively choose what addresses NOT to forward if I configure a route-map with an ACL because I know the source addresses of the remote sites trying to form an IPSec with this router, but I do not know the IP addresses from where our employees try to connect to the VPN server.

Therefore, I wonder if this could work.

ip nat inside source static tcp 10.10.10.10 500 9.9.9.9 500 route-map VPN

!

access-list 120 deny udp host 1.1.1.1 eq isakmp host 9.9.9.9 eq isakmp

access-list 120 deny udp host 2.2.2.2 eq isakmp host 9.9.9.9 eq isakmp

access-list 120 deny udp host 3.3.3.3 eq isakmp host 9.9.9.9 eq isakmp

access-list 120 deny udp host 4.4.4.4 eq isakmp host 9.9.9.9 eq isakmp

access-list 120 permit ip any any

!

route-map VPN permit 10

match ip address 120

10.10.10.10 = The address of the VPN server

9.9.9.9 = The external address of the router given to me by the ISP

1.1.1.1, 2.2.2.2 and so on are the source addresses of the remote sites trying to form an IPSec with this router.

With this configuration I am hoping port forwarding will only work for users trying to reach the VPN server for authentication, but at the same time the negotiation to form an IPSec from the remote sites with this router will still go ahead and complete.

What do you or anyone think?

I have a discussion opened for this issues in case you prefer to answer there:

https://community.cisco.com/t5/vpn-and-anyconnect/port-forwarding-for-anyconnect-having-an-impact-on-ipsec/m-p/3703898#M146434

vin vinjun · ‎09-25-2016

Hi Federico Coto,

I also have problem as you metioned that i could add a route-map to have port forwarding rule with VPN.

"ip nat inside source static tcp 192.168.1.2 8000 <IP public> 8000 route-map Bypass-NAT

Does it have any solutions cause i just have a dynamic IP public to do that?

thanks in advanced !