cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
461
Views
0
Helpful
2
Replies

IP NAT from router to SSL-VPN appliance

sendalot7
Level 1
Level 1

Has anyone use Cisco 891-K9 to forward 443/SSL to a SSL VPN appliance?

(I've never encoutered this situation before because either the public facing router terminated VPN directly or we had multiple public IPs to assign the VPN appliance directly a public IP).

With "ip nat inside source static tcp 44.55.66.255 443 10.10.10.150 443 extendable" it's supposed to forward the SSL request to the SSL VPN appliance at 10.10.10.150 to have VPN requests be terminated there.

But failed miserably becaues 891-K9 created a virtual ARP entry for 10.10.10.150. So two MACs with same IP.

So 443 requests were beings sent to its interface. Upon the NAT statement, I can't ssh into the SSL-VPN appliance, but the moment the statemet is gone, I can ssh and ARP dupliacte warning goes away.

*Nov 1 19:22:46.871: %IP-4-DUPADDR: Duplicate address 10.10.10.150 on Vlan10, sourced by aaaa.bbbb.cccc
*Nov 1 19:23:18.083: %IP-4-DUPADDR: Duplicate address 10.10.10.150 on Vlan10, sourced by aaaa.bbbb.cccc
*Nov 1 19:23:48.295: %IP-4-DUPADDR: Duplicate address 10.10.10.150 on Vlan10, sourced by aaaa.bbbb.cccc
rtr#sh clock
*19:24:26.487 UTC Sun Nov 1 2015
rtr#sh ip arp 10.10.10.150
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
rtr#sh ip arp 10.10.10.150
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.150 - e02f.6d96.8dd0 ARPA Vlan10
rtr#sh sh ip route 10.10.10.150

Cisco TAC is trying to reproduce this problem at the moment to report to dev.

Has anyone else had this problem or a workaround?


Thanks.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

I may be misunderstanding but isn't your NAT statement the wrong way round ie. if you want traffic to be forwarded to 10.10.10.150 shouldn't it be -

"ip nat inside source static tcp 10.10.10.150 43 44.55.66.25x 43"

isn't the SSL device on the "ip nat inside" interface ?

Jon

View solution in original post

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

I may be misunderstanding but isn't your NAT statement the wrong way round ie. if you want traffic to be forwarded to 10.10.10.150 shouldn't it be -

"ip nat inside source static tcp 10.10.10.150 43 44.55.66.25x 43"

isn't the SSL device on the "ip nat inside" interface ?

Jon

Thank you for the reply.

Minutes before you posted, I realized the mistake.

Thanks again.