TCP STATIC IP port forwarding + VPN

PNTECH · ‎02-17-2004

Hello,

This is the 3rd time I have run accross this issue and have never been able to get this to work correctly. I am trying to forward a tcp port from the Internet to an internal server on the LAN (in the config below this works OK) However, this port # must also be accessible from the main site (172.16.1.0) via the VPN. The config below allows the port from the Internet but breaks it over the vpn.. what am I doing wrong ?

interface Loopback0

description INTERFACE TO BREAK STATIC NAT FOR VPN

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

description connected to Internet

ip address x.x.x.x 255.255.255.128

ip nat outside

half-duplex

crypto map vpn1

!

interface FastEthernet0

description connected to EthernetLAN

ip address 172.16.8.1 255.255.255.0

ip nat inside

ip policy route-map NO_STATIC

speed auto

!

ip nat inside source static tcp 172.16.8.5 6107 interface Ethernet0 6107

ip nat inside source route-map nonat1 interface Ethernet0 overload

!

access-list 105 permit ip 172.16.8.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 106 remark DENY DYNAMIC NAT FOR VPN AND STATIC

access-list 106 deny ip 172.16.8.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 106 permit ip 172.16.8.0 0.0.0.255 any

access-list 110 remark BREAK STATIC NAT FOR VPN

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

!

route-map NO_STATIC permit 10

match ip address 110

set ip next-hop 1.1.1.2

!

route-map nonat1 permit 5

match ip address 106

!

gfullage · ‎02-17-2004

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You're trying not to NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

gfullage · ‎02-17-2004

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You're trying not to NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

gfullage · ‎02-17-2004

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You're trying not to NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

gfullage · ‎02-17-2004

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You want to not NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

PNTECH · ‎02-18-2004

Thanks for pointing that out! Yes, that would make sense... I'll give it a try