02-14-2012 05:50 AM
I have the following setup:
ADSL ---> Cisco 877 with connected site-to-site VPN's ---> Cisco ASA 5505 with Remote VPN enabled
I want to connect my Android phone to the Cisco ASA 5505 with Remote VPN. When I forward port 500 and 4500 on the Cisco 877
to the Cisco ASA5505 I can connect with the phone.
But as expected, the site to site connections are lost because now they try to reach the ASA 5505 also.
I want to exclude the site to site external IP addresses from doing static NAT to the ASA 5505...how can I accomplish this ?
I can post my config if required...
02-14-2012 06:21 AM
Hi,
You can try to filter static nat translation via a route-map mechanism as describ below :
assuming :
X.X.X.X : Cisco 877 pub ip
Y.Y.Y.Y: outise ASA priv IP
Z.Z.Z.Z : Remote S2S VPN Peer public IP
#Define an ACL block packet comming from the Remote S2S VPN Peer public IP, allow the other traffic
ip access-list extended NO-STATIC-NAT-FOR-VPN-PEER
deny ip host Z.Z.Z.Z any
permit ip any any
#Define a route-map using this ACL
route-map NO-STATIC-NAT-FOR-VPN-PEER permit 0
match ip address NO-STATIC-NAT-FOR-VPN-PEER
#Redefine your NAT entry with the route-map the would filter the traffic comming from Remote S2S VPN Peer public IP
ip nat inside source static udp Y.Y.Y.Y 500 X.X.X.X 500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable
ip nat inside source static udp Y.Y.Y.Y 4500 X.X.X.X 4500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable
Hope that help
Vincent
02-14-2012 12:27 PM
Hi vincent, I tried your settings but then internet does not work anymore and the vpn's are lost....if I delete
the two static nat lines (500/4500) everything works again, what am I doing wrong / is missing in the config ?
config: (66.66.66.66 = external ip cisco 877 ------> 77.77.77.77 & 88.88.88.88 are the peers
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to88.88.88.88
set peer 88.88.88.88
set security-association lifetime seconds 86400
set transform-set example
set pfs group2
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to77.77.77.77
set peer 77.77.77.77
set security-association lifetime seconds 86400
set transform-set example
set pfs group2
match address 103
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
description --- internet ---
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode adsl2+
dsl bitswap both
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 192.168.200.12 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username inter@internet.com password 0 internet
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
no ip http secure-server
!
!
ip dns server
ip nat pool PASSIVEFTP 192.168.200.25 192.168.200.25 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.200.22 25 interface Dialer0 25
ip nat inside source static tcp 192.168.200.22 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.200.25 21 interface Dialer0 21
ip nat inside source static tcp 192.168.200.25 1221 interface Dialer0 1221
ip nat inside source static tcp 192.168.200.25 20 interface Dialer0 20
ip nat inside source static tcp 192.168.200.35 443 interface Dialer0 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static udp 192.168.200.14 500 66.66.66.66 500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable
ip nat inside source static udp 192.168.200.14 4500 66.66.66.66 4500 route-map NO-STATIC-NAT-FOR-VPN-PEER extendable
ip nat inside destination list PASSIVEACL pool PASSIVEFTP
!
ip access-list extended NO-STATIC-NAT-FOR-VPN-PEER
deny ip host 88.88.88.88 any
deny ip host 77.77.77.77 any
permit ip any any
ip access-list extended PASSIVEACL
remark Standard FTP Data and Comms
permit tcp any any range ftp-data ftp
remark Extra Ports for Passive Use Only
permit tcp any any range 1221 1230
!
logging trap debugging
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 permit tcp any gt 1023 host 66.66.66.66 eq 1221
access-list 100 permit tcp any gt 1023 host 66.66.66.66 eq ftp
access-list 100 permit tcp any gt 1023 host 66.66.66.66 eq ftp-data
access-list 100 permit tcp any host 66.66.66.66 range 1221 1230
access-list 101 permit ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 remark SDM_ACL Category=18
access-list 102 deny ip 192.168.200.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 deny ip 192.168.200.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 deny ip 192.168.200.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.200.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 192.168.200.0 0.0.0.255 192.168.6.0 0.0.0.255
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map NO-STATIC-NAT-FOR-VPN-PEER permit 0
match ip address NO-STATIC-NAT-FOR-VPN-PEER
02-16-2012 01:55 PM
Ok tried some stuff, to make it work I used access lists and now its working:
1. Port forward the vpn ports to the ASA:
ip nat inside source static udp 192.168.200.14 500 66.66.66.66 500 route-map static-nat reversible extendable
ip nat inside source static udp 192.168.200.14 4500 66.66.66.66 4500 route-map static-nat reversible extendable
2. Added the route-map:
route-map static-nat permit 10
match ip address 105
3. Created ACL's to block site to site vpn's natting to ASA:
access-list 105 deny ip 192.168.200.0 0.0.0.255 host 77.77.77.77
access-list 105 deny ip 192.168.200.0 0.0.0.255 host 88.88.88.88
access-list 105 permit ip 192.168.200.0 0.0.0.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide