Showing results for 
Search instead for 
Did you mean: 

port forward/PAT to host behind remote VPN endpoint

Ok here is my situation

Site A: static IP, Cisco PIx 515 running PIX 8.04

Site B: dynamic IP, running either PIX 501 or 1721 router with security image

EZVPN connection from B to A

I want all internet traffic from site B to go out Site B's local internet link EXCEPT email, which I want routed through site A's internet connection.  Site A has a single server for exchange, AD, dns, etc.  I only want email traffic, not all traffic from the server at site B to go out Site A's internet connection.  Also, I want inbound email designated for Site B to go through Site A's extra static IP(I  have the extra static, and I know what needs to be done MX wise).

Can this be done this way, or do I have to setup another IOS based device at Site A, and use a GRE tunnel?

Basically, also in general, if I want to accept a connection and Site A, and forward to Site B, does this require route maps or GRE?(IE if site B is hosting a web server, but want to piggy back off Site A's static)/

Marcin Latosiewicz
Cisco Employee


You mention one, which basically says all email traffic from remote end to anywhere should be routed via site A but:

Does remote site have a server of it's own? Or is this user traffic?

Is exchange acting as an MTA or any other server for that mail traffic?

Should incoming traffic be transported to exchange at site A or starigh off to the internet by using the static IP.

I have my doubts you'd need to setup a PoC for this before implementing on large scale.

For sure if you use ports on crypto access-list on PIX/ASA following will be seen:

WARNING: access-list has port selectors. This may impact performance.

I'm not totally sure what the effect on performance or overall stability will be.

If you don't midn I'll have one of the guys here test this in the lab tomorrow and get back to you.

Unless you found an answer already?


Cisco Employee


I configured a similar example using http 80, which can help you.


FW1:       outside 10.0.01/24                             FW2:       outside

                Inside                                        inside

VPN site to site between FW1 and FW2

Connected to FW2 is our HTTP server R2 (which is another router with http service enabled), connections to FW1 on http 80 will be forward to R2 through the VPN site to site, to finally reach the http server R2, please see the attached network diagram for a better understanding.

In addition you may also find attached the configs of each device in case you want to try it yourself

Key commands:


NAT for http service on extra public IP address, please notice is not configure on any interface, it is no necessary.

# static (outside,outside) tcp www www netmask

Access lists, in order to allow traffic

# same-security-traffic permit intra-interface

# access-list OUTSIDE_IN extended permit tcp any host eq www

# access-group OUTSIDE_IN in interface outside

For VPN settings we need to match this kind of traffic, we can add a second line for our VPN access-list (the one used in the crypto-map)

# access-list VPN extended permit tcp any host eq www


NAT for http service being received on the outside interface with destination

# static static (inside,outside) tcp www www netmask

Once again, for VPN settings we need to match this kind of traffic, we can add a second line for our VPN access-list (the one used in the crypto-map)

access-list VPN extended permit tcp host eq www any


Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad