I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other ip access-list extended NAT-Traffic deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255 deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255 deny ip 172.19.191.0 0.0.0.255 184.108.40.206 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 220.127.116.11 0.0.255.255 deny ip 172.19.191.0 0.0.0.255 18.104.22.168 0.0.255.255 deny ip 172.19.191.0 0.0.0.255 22.214.171.124 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255 deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255 deny ip 172.19.191.0 0.0.0.255 126.96.36.199 0.0.3.255 permit ip any any
! create route map route-map POLICY-NAT 10 match ip address NAT-Traffic
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
To help you better understand what makes Secure Endpoint such a valuable tool in their arsenal, we’ve summarised top tips which customers can use which can avoid them getting stalled in their implementation stages of the solution. Data tells us, at the po...
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln...
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/CiscoChampion
Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of di...
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE
Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th...
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t...