Re: ip nat with site to site vpn

zeuscyril · ‎04-14-2012

hi all,

i am using cisco 1941 sec-k9 router with leased line internet.

i am configuring the port forwarding for my database and my email ports for webaccess.

and also i am configuring the cisco site to site vpn with asa 5505 .

my site to site vpn is fine and i am able to reach bith sides.

but the issue is i am not able to communicate the database and email ports through site to site vpn.

but if i remove the port forwarding i am able to communicate .

before i was using the same kind of setup in1841 . but for me it looks strange.

is there any new changes in 1941.

my nat config,

ip nat inside source static tcp 192.168.0.4 4890 x.x.x.x 4890 extendable

ip nat inside source static tcp 192.168.0.4 4891 x.x.x.x 4891 extendable

ip nat inside source static tcp 192.168.0.4 5555 x.x.x.x 5555 extendable

ip nat inside source static tcp 192.168.0.2 25 y.y.y.y 25 extendable

ip nat inside source static tcp 192.168.0.2 110 y.y.y.y 110 extendable

ip nat inside source static tcp 192.168.0.2 143 y.y.y.y 143 extendable

ip nat inside source static tcp 192.168.0.2 443 y.y.y.y 443 extendable

and my site to site proxy acl,

ip access-list extended IPSEC-HK

permit ip 192.168.0.0 0.0.0.255 10.8.9.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 10.8.9.0 0.0.0.255

thanks

cyril

Jouni Forss · ‎04-14-2012

Hi,

As always I'm gonna state that Router VPN/NAT configurations aint my "speciality"

To me it seems that this problem is somehow due to the NAT.

On the firewall side im used to the situation that NAT0 overrides many other NAT configurations. In this case it seems your problem is that the port forwarding configurations override your VPNs NAT configurations?

Wonder if you could add that public IP address to the L2L VPN tunnel (with destination network 10.8.9.0/24) and try the connections (Mirror config on the ASA5505 side too ofcourse)? This way the hosts at ASA5505 end would contact straight the public IP address.

- Jouni