Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
4
Replies

Can I port forward accross a VPN

Go to solution
sean6605
Level 1
Level 1

‎05-22-2015 01:20 PM

I currently have a Cisco 1905 as my hub router, running  v15.1(4)M4. (192.168.1.0/24)

This router has a static public IP address on interface GI0/0 and the internal address is on GI0/1, and we use NAT for Internet access.

I have an ASA5505 (v8(4)) at the branch office (192.168.12.0/24) connecting to the router using EZVPN and the VPN is setup and working as it should.

I can access the branch off from the hub and vice versa.

I have a security camera in the branch office that I can access across the VPN without issue.

The problem occurs when I try access the camera from the internet using port forwarding.

We have several camera's in the hub office that we access using port forwarding via the following command

ip nat inside source static tcp 192.168.1.40 80 <public ip address> 40001 route-map SDM_RMAP_1 extendable

This works 100%

I have tried to access the camera in the branch office using the command

ip nat inside source static tcp 192.168.12.40 80 <public ip address> 41001 route-map SDM_RMAP_1 extendable

but I cannot get through.

I can see the NAT translation in the branch office for the 41001 port but I cannot get through.

Is this possible? can I port forward down a VPN tunnel?

The issues is that the branch office is in an office suite and we rent the space. We are not supplied a public ip address and I have no control over the router providing an address to the ASA5505.

Any help would be appreciated thank you

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to sean6605

‎05-22-2015 03:40 PM

If you have crypto-maps running and you prefer split-tunneling, then I would suggest a completely different way to solve that:

You can install a little linux-box (or Win2012R2 will also do the job) in the main-office (best would be an own DMZ for that) and configure that as a reverse-proxy. This system takes the requests  and forwards them to the cameras.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎05-22-2015 02:05 PM

You are probably running into more then one problem here (I assume that you are using an old way to configure EzVPN):

  1. For using the NAT the way you configured it, the gig0/0 needs to be ""ip nat inside" and "ip nat outside" at the same time which is not possible.
  2. If you solve the NAT, you need to include "any" into your encryption domain as the hub-router needs to encrypt traffic from any internet-source to the branch-camera. This is done automatically if you don't use split-tunneling.

For the hub, you should migrate EzVPN to use virtual-templates instead of a crypto map. There the virtual-template will be used to create a "vpn-interface" where you can apply the "ip nat inside".

 

0 Helpful

Go to solution
sean6605
Level 1
Level 1
In response to Karsten Iwen

‎05-22-2015 03:23 PM

Thank you for the reply Karsten.

I guess I am using an older way to configure the EzVPN. I have attached the config from the hub router and the Branch ASA. You are correct I am using Crypto maps. I used what I have in the past and didn't know about virtual templates.

I will have to read the link you provided so that I can try to figure out how the virtual templates work. that will take a little time unless some suggestions can be made with the included configurations.

Do you think that using virtual templates will do the job?

 

I would prefer split tunneling so that all traffic from the branch does not have to go down the tunnel.

Thanks for any help this one has me stuck.

Preview file
12 KB
Preview file
4 KB
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to sean6605

‎05-22-2015 03:40 PM

If you have crypto-maps running and you prefer split-tunneling, then I would suggest a completely different way to solve that:

You can install a little linux-box (or Win2012R2 will also do the job) in the main-office (best would be an own DMZ for that) and configure that as a reverse-proxy. This system takes the requests  and forwards them to the cameras.

0 Helpful

Go to solution
sean6605
Level 1
Level 1
In response to Karsten Iwen

‎05-22-2015 03:46 PM

Yes I am running cryptomaps, the proxy was something I never though about. I will check into that. I have been reading about the dVTI and thank you for that link that seems to be a nice feature

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents