Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1774
Views
0
Helpful
3
Replies

Exclude ip's to vpn port forwarding on Cisco877 to ASA5505

ciscogangster
Level 1
Level 1

‎02-14-2012 05:50 AM

I have the following setup:

ADSL ---> Cisco 877 with connected site-to-site VPN's ---> Cisco ASA 5505 with Remote VPN enabled

I want to connect my Android phone to the Cisco ASA 5505 with Remote VPN. When I forward port 500 and 4500 on the Cisco 877

to the Cisco ASA5505 I can connect with the phone.

But as expected, the site to site connections are lost because now they try to reach the ASA 5505 also.

I want to exclude the site to site external IP addresses from doing static NAT to the ASA 5505...how can I accomplish this ?

I can post my config if required...

Labels:
0 Helpful
3 Replies 3

vincent.monnier
Level 1
Level 1

‎02-14-2012 06:21 AM

Hi,

You can try to filter static nat translation via a route-map mechanism as describ below :

assuming :

X.X.X.X : Cisco 877 pub ip

Y.Y.Y.Y: outise ASA priv IP

Z.Z.Z.Z : Remote  S2S VPN Peer public IP

#Define an ACL block packet comming from the Remote  S2S VPN Peer public IP, allow the other traffic

ip access-list extended NO-STATIC-NAT-FOR-VPN-PEER

deny ip host Z.Z.Z.Z any

permit ip any any

#Define a route-map using this ACL

route-map NO-STATIC-NAT-FOR-VPN-PEER permit 0

match ip address NO-STATIC-NAT-FOR-VPN-PEER

#Redefine your NAT entry with the route-map the would filter the traffic comming from Remote  S2S VPN Peer public IP

ip nat inside source static udp Y.Y.Y.Y 500 X.X.X.X 500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable

ip nat inside source static udp Y.Y.Y.Y 4500 X.X.X.X 4500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable

Hope that help

Vincent

0 Helpful

ciscogangster
Level 1
Level 1
In response to vincent.monnier

‎02-14-2012 12:27 PM

Hi vincent, I tried your settings but then internet does not work anymore and the vpn's are lost....if I delete

the two static nat lines (500/4500) everything works again, what am I doing wrong / is missing in the config ?

config: (66.66.66.66 = external ip cisco 877 ------>  77.77.77.77 & 88.88.88.88 are the peers

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to88.88.88.88
set peer 88.88.88.88
set security-association lifetime seconds 86400
set transform-set example
set pfs group2
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to77.77.77.77
set peer 77.77.77.77
set security-association lifetime seconds 86400
set transform-set example
set pfs group2
match address 103
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
description --- internet ---
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode adsl2+
dsl bitswap both
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192.168.200.12 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username inter@internet.com password 0 internet
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
no ip http secure-server
!
!
ip dns server
ip nat pool PASSIVEFTP 192.168.200.25 192.168.200.25 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.200.22 25 interface Dialer0 25
ip nat inside source static tcp 192.168.200.22 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.200.25 21 interface Dialer0 21
ip nat inside source static tcp 192.168.200.25 1221 interface Dialer0 1221
ip nat inside source static tcp 192.168.200.25 20 interface Dialer0 20
ip nat inside source static tcp 192.168.200.35 443 interface Dialer0 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static udp 192.168.200.14 500 66.66.66.66 500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable
ip nat inside source static udp 192.168.200.14 4500 66.66.66.66 4500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable
ip nat inside destination list PASSIVEACL pool PASSIVEFTP
!
ip access-list extended NO-STATIC-NAT-FOR-VPN-PEER
deny   ip host 88.88.88.88 any
deny   ip host 77.77.77.77 any
permit ip any any
ip access-list extended PASSIVEACL
remark Standard FTP Data and Comms
permit tcp any any range ftp-data ftp
remark Extra Ports for Passive Use Only
permit tcp any any range 1221 1230
!
logging trap debugging
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 permit tcp any gt 1023 host 66.66.66.66 eq 1221
access-list 100 permit tcp any gt 1023 host 66.66.66.66 eq ftp
access-list 100 permit tcp any gt 1023 host 66.66.66.66 eq ftp-data
access-list 100 permit tcp any host 66.66.66.66 range 1221 1230
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 remark SDM_ACL Category=18
access-list 102 deny   ip 192.168.200.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.200.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny   ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.200.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 192.168.200.0 0.0.0.255 192.168.6.0 0.0.0.255
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map NO-STATIC-NAT-FOR-VPN-PEER permit 0
match ip address NO-STATIC-NAT-FOR-VPN-PEER

0 Helpful

ciscogangster
Level 1
Level 1
In response to ciscogangster

‎02-16-2012 01:55 PM

Ok tried some stuff, to make it work I used access lists and now its working:

1. Port forward the vpn ports to the ASA:

ip nat inside source static udp 192.168.200.14 500 66.66.66.66 500 route-map static-nat reversible extendable

ip nat inside source static udp 192.168.200.14 4500 66.66.66.66 4500 route-map static-nat reversible extendable

2. Added the route-map:

route-map static-nat permit 10

match ip address 105

3. Created ACL's to block site to site vpn's natting to ASA:

access-list 105 deny   ip 192.168.200.0 0.0.0.255 host 77.77.77.77
access-list 105 deny   ip 192.168.200.0 0.0.0.255 host 88.88.88.88
access-list 105 permit ip 192.168.200.0 0.0.0.255 any

0 Helpful
Customers Also Viewed These Support Documents