Re: Cisco 837 VPN Client and Static

phiz.petry · ‎11-29-2005

hello,

I have a router 837 for Internet Access and i have configure VPN access to centrale Office.

This configuration is working well.

Here is the configuration attach (the public IP address is not the real).

The problem :

I must give access to an internal printer directly from Internet.

I use this command :

ip nat inside source static 192.168.1.99 93.152.115.15

If i activate this command, i can print with no problem, but 5 mn later the VPN connection shut down.

If i disable the command :

no ip nat inside source static 192.168.1.99 93.152.115.15

The VPN is OK

Is it possible to have VPN and ip nat inside source static

Thanks for your help

jackko · ‎11-29-2005

"ip nat inside source static 192.168.1.99 93.152.115.15"

with this static statement, all traffic including ipsec, will be natted and forwarded to 192.168.1.99.

instead of configuring static nat, static pat should be used.

e.g.

ip nat inside source static tcp 192.168.1.99 9100 93.152.115.15 9100

port 9100 is the default port for most printers. further, you may manipulate the port in order to achieve a slightly higher level of security.

e.g.

ip nat inside source static tcp 192.168.1.99 9100 93.152.115.15 9200

with this static pat statement, user from internet needs to configure the printer with port 9200. in other words, it may prevent a certain level of port scanning from intruders since port 9200 is not a common port to be scanned.