Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1894
Views
0
Helpful
4
Replies

port forwarding through IPsec tunnel

Go to solution
smstoyanov
Level 1
Level 1

‎02-06-2018 07:19 AM - edited ‎03-12-2019 05:00 AM

 

Here is my config for the IPsec connection.

tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX general-attributes
default-group-policy IPSEC_IKEV1_Filters
tunnel-group XX.XX.XX.XX ipsec-attributes
ikev1 pre-shared-key *****

 

access-list 110 extended permit ip object NAT_10.10.10.10_32 object-group remote_hosts

 

crypto map ISP_2 152 match address 110
crypto map ISP_2 152 set peer XX.XX.XX.XX
crypto map ISP_2 152 set ikev1 transform-set ESP-AES256-SHA
crypto map ISP_2 152 set security-association lifetime seconds 3600

crypto map ISP_2 interface outside2

nat (inside,outside2) source dynamic MYLOCAL_NET  NAT_10.10.10.10_32 destination static remote_hosts remote_hosts
 

Here everything works fine!!!

I`m wondering how can apply port forwarding rule on Cisco ASA 5515 9.8 only available for IPsec.

In other words, when remote_host send requests to 10.10.10.10/32 i want these request to be forwarded to some internal IP-for example 192.168.0.2/32

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎02-06-2018 07:29 AM

Should be something like this:

nat (outside2,inside) 1 source static remote_hosts remote_hosts destination static NAT_10.10.10.10_32 NAT_192.168.0.2_32

it is basically a destination nat, you just need to make sure it's above your existing nat rule.

 

HTH

Bogdan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎02-06-2018 07:29 AM

Should be something like this:

nat (outside2,inside) 1 source static remote_hosts remote_hosts destination static NAT_10.10.10.10_32 NAT_192.168.0.2_32

it is basically a destination nat, you just need to make sure it's above your existing nat rule.

 

HTH

Bogdan

0 Helpful

Go to solution
smstoyanov
Level 1
Level 1
In response to Bogdan Nita

‎02-06-2018 07:37 AM

Hello Bogdan,

thanks for the fast reply but i think that it will not work because ASA uses opposite direction related to nat rules.

For example, you can nat :

inside to outside

outside to outside

but outside to inside is not the relevant answer.

Could you tell me is it used in production on your side.

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to smstoyanov

‎02-06-2018 07:48 AM

Hi smstoyanov,

 

Not sure what you mean by "ASA uses opposite direction related to nat rules".

You can definitely nat packets coming from the outside interface and going to the inside interface.

I have definitely used nat config for that case, but do not think I used it combined with vpn.

If you do not want to apply it in production , which is the sensible thing to do, you can quickly test the config in a gns3 lab.

0 Helpful

Go to solution
smstoyanov
Level 1
Level 1
In response to Bogdan Nita

‎02-06-2018 11:59 PM

Thanks Bogdan,

it works perfectly .

0 Helpful
Customers Also Viewed These Support Documents