Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
5
Helpful
4
Replies

Nat Ports Inaccessible via site-to-site VPN

Go to solution
Justin Kroll
Level 1
Level 1

‎05-26-2016 12:43 PM

We have an ISR 2900 series at HQ and several Cisco WRVS4400N VPN routers at small branch offices. The branch offices are connected to HQ via site-to-site IPSec. Everything seems to work fine, except users in the branch offices can not access any services on HQ servers where the port has been NAT'd to the outside. For example, we run remote desktop services over https, port 443 is NAT'd to the outside, but users in the branch offices can not access this port. They receive a timeout error. I've tried searching, but all I can find is info on running IPSec through NAT. Thanks...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Justin Kroll

‎05-26-2016 02:56 PM

With this NAT-config, your router enforces that the internal server has to be accessed by the public IP. You can add a route-map to your static NAT entry to exempt the VPN-traffic from NAT. That could look like the following:

ip nat inside source static tcp 10.0.0.11 443 xxx.xxx.xxx.165 443 route-map SERVER-NAT extendable
!
ip access-list extended SERVER-NAT-ACL
 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip any any
!
route-map SERVER-NAT permit 10
 match ip address SERVER-NAT-ACL

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Michael Muenz
Level 5
Level 5

‎05-26-2016 12:50 PM

Probably the access-list for NAT on the ISR doesn't exclude the network ranges of the offices?

Michael Please rate all helpful posts

Go to solution
Justin Kroll
Level 1
Level 1
In response to Michael Muenz

‎05-26-2016 01:27 PM

I believe the ACL is set properly. Normal connectivity works, it's just forwarded ports that do not.

HQ subnet is 10.0.0.0/24, one branch is 10.0.1.0/24

Here's the applicable lines of the config:

ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.0.11 443 xxx.xxx.xxx.165 443 extendable

route-map SDM_RMAP_3 permit 1
 match ip address 110
 match interface GigabitEthernet0/1

access-list 110 deny   ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Justin Kroll

‎05-26-2016 02:56 PM

With this NAT-config, your router enforces that the internal server has to be accessed by the public IP. You can add a route-map to your static NAT entry to exempt the VPN-traffic from NAT. That could look like the following:

ip nat inside source static tcp 10.0.0.11 443 xxx.xxx.xxx.165 443 route-map SERVER-NAT extendable
!
ip access-list extended SERVER-NAT-ACL
 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip any any
!
route-map SERVER-NAT permit 10
 match ip address SERVER-NAT-ACL
0 Helpful

Go to solution
Justin Kroll
Level 1
Level 1
In response to Karsten Iwen

‎05-26-2016 03:41 PM

Perfect! I did not realize interface route-maps don't apply to static NAT. Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents