Static NAT with IPSec tunnel

Brian Preston · ‎10-30-2012

Hi,

I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!

I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.

There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.

From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)

The configuration can be seen below for the NAT part;

! Denies vpn interesting traffic but permits all other
ip access-list extended NAT-Traffic
deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
permit ip any any

! create route map
route-map POLICY-NAT 10
match ip address NAT-Traffic

! static nat
ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable

Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?

Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?

Many thanks in advance

Brian

Brian Preston · ‎11-06-2012

Hi,

Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?

Thanks

Brian