Solved: Thank you for the reply

sean6605 · ‎05-22-2015

I currently have a Cisco 1905 as my hub router, running v15.1(4)M4. (192.168.1.0/24)

This router has a static public IP address on interface GI0/0 and the internal address is on GI0/1, and we use NAT for Internet access.

I have an ASA5505 (v8(4)) at the branch office (192.168.12.0/24) connecting to the router using EZVPN and the VPN is setup and working as it should.

I can access the branch off from the hub and vice versa.

I have a security camera in the branch office that I can access across the VPN without issue.

The problem occurs when I try access the camera from the internet using port forwarding.

We have several camera's in the hub office that we access using port forwarding via the following command

ip nat inside source static tcp 192.168.1.40 80 <public ip address> 40001 route-map SDM_RMAP_1 extendable

This works 100%

I have tried to access the camera in the branch office using the command

ip nat inside source static tcp 192.168.12.40 80 <public ip address> 41001 route-map SDM_RMAP_1 extendable

but I cannot get through.

I can see the NAT translation in the branch office for the 41001 port but I cannot get through.

Is this possible? can I port forward down a VPN tunnel?

The issues is that the branch office is in an office suite and we rent the space. We are not supplied a public ip address and I have no control over the router providing an address to the ASA5505.

Any help would be appreciated thank you

Karsten Iwen · ‎05-22-2015

If you have crypto-maps running and you prefer split-tunneling, then I would suggest a completely different way to solve that:

You can install a little linux-box (or Win2012R2 will also do the job) in the main-office (best would be an own DMZ for that) and configure that as a reverse-proxy. This system takes the requests and forwards them to the cameras.

View solution in original post

Karsten Iwen · ‎05-22-2015

You are probably running into more then one problem here (I assume that you are using an old way to configure EzVPN):

For using the NAT the way you configured it, the gig0/0 needs to be ""ip nat inside" and "ip nat outside" at the same time which is not possible.
If you solve the NAT, you need to include "any" into your encryption domain as the hub-router needs to encrypt traffic from any internet-source to the branch-camera. This is done automatically if you don't use split-tunneling.

For the hub, you should migrate EzVPN to use virtual-templates instead of a crypto map. There the virtual-template will be used to create a "vpn-interface" where you can apply the "ip nat inside".

sean6605 · ‎05-22-2015

Thank you for the reply Karsten.

I guess I am using an older way to configure the EzVPN. I have attached the config from the hub router and the Branch ASA. You are correct I am using Crypto maps. I used what I have in the past and didn't know about virtual templates.

I will have to read the link you provided so that I can try to figure out how the virtual templates work. that will take a little time unless some suggestions can be made with the included configurations.

Do you think that using virtual templates will do the job?

I would prefer split tunneling so that all traffic from the branch does not have to go down the tunnel.

Thanks for any help this one has me stuck.

Karsten Iwen · ‎05-22-2015

If you have crypto-maps running and you prefer split-tunneling, then I would suggest a completely different way to solve that:

You can install a little linux-box (or Win2012R2 will also do the job) in the main-office (best would be an own DMZ for that) and configure that as a reverse-proxy. This system takes the requests and forwards them to the cameras.

sean6605 · ‎05-22-2015

Yes I am running cryptomaps, the proxy was something I never though about. I will check into that. I have been reading about the dVTI and thank you for that link that seems to be a nice feature

Can I port forward accross a VPN