I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other ip access-list extended NAT-Traffic deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255 deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255 deny ip 172.19.191.0 0.0.0.255 18.104.22.168 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 22.214.171.124 0.0.255.255 deny ip 172.19.191.0 0.0.0.255 126.96.36.199 0.0.255.255 deny ip 172.19.191.0 0.0.0.255 188.8.131.52 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255 deny ip 172.19.191.0 0.0.0.255 184.108.40.206 0.0.3.255 permit ip any any
! create route map route-map POLICY-NAT 10 match ip address NAT-Traffic
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 220.127.116.11Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 18.104.22.168R1(config-ikev2-keyring-pee...