03-18-2011 07:24 AM
Hi,
I've configured a VPN (IPSec) between 2 sites on Cisco 881-K9.
The server "A", which have the address 192.168.0.X must be reachable on port 80, 8080 and 90 from public network.
I've configured forwarding ports with the command:
ip nat inside source static TCP 192.168.0.X 90 interface fastethernet 4 90
ip nat inside source static TCP 192.168.0.X 80 interface fastethernet 4 80
ip nat inside source static TCP 192.168.0.X 8080 interface fastethernet 4 8080
The server is reachable from outside, from the site in which it is located.
But there is an issue with the second site:
It seems that the issue is due to the port forwarding because when i delete the port forwarding configuration there is no more issue on the second site.
Thanks for your help
Solved! Go to Solution.
03-18-2011 07:42 AM
Hi,
You need conditional NAT.
When you want Port Forwarding to work just for some traffic, for example when accessing the server from the Internet
but not for traffic coming through VPN you can add a route-map to the end.
So,
ip nat inside source static TCP 192.168.0.X xx PUBLIC_IP 4 xx route-map VPN
The route-map tells when is this NAT going to happen.
It's going to happen always but when traffic is coming from the VPN.
Now... the problem is that you can add a route-map when you have a Port forwarding rule to an IP (not an interface).
Anyway, give it a try and let us know.
Federico.
03-18-2011 07:42 AM
Hi,
You need conditional NAT.
When you want Port Forwarding to work just for some traffic, for example when accessing the server from the Internet
but not for traffic coming through VPN you can add a route-map to the end.
So,
ip nat inside source static TCP 192.168.0.X xx PUBLIC_IP 4 xx route-map VPN
The route-map tells when is this NAT going to happen.
It's going to happen always but when traffic is coming from the VPN.
Now... the problem is that you can add a route-map when you have a Port forwarding rule to an IP (not an interface).
Anyway, give it a try and let us know.
Federico.
03-23-2011 02:58 AM
Thanks a lot for your answer!
It works perfectly!
08-24-2011 07:36 PM
Hi, I am having the same problem as mentioned here so I have tried to do the fix that is described but I cannot get the route-map command to work.
could someone please put up an example of how this should work.
I have tried the following
ip nat inside source static tcp 192.168.56.1 443 x.x.x.x 443 route-map VPN
access-list 107 deny ip 192.168.20.0 0.0.0.255 any
access-list 107 permit ip any any
route-map VPN permit 10
match ip address 107
set interface Dialer0
But the outcome is that then the port forwarding does not work from the outside or when going through the VPN.
08-24-2011 09:57 PM
Hello Sebastien,
Hope you must be doing fine!
Well please mark the query answered and rate the same, if you got the information you were looking for.
Thanks
Ankur Thukral
Community Manager- Security & VPN
03-02-2018 12:42 PM
I have successfully estaplished vpn on my computer but was unable to port forward and establish connection from outside can you explain the process again please.
09-11-2018 04:35 AM
Hi Federico,
I have a similar problem and searching the Internet for an answer I found your post, which may provide an answer to my problem.
The scenario is, I have a router facing the ISP. This router terminates various, about 8 IPSec VPNs, from other sites. At the same time, I need to configure port forwarding in this router to send AnyConnect VPN clients to authenticate with the VPN server, which is an ASA firewall behind the router. The problem is, AnyConnect uses IPSec as well and therefore, the port forwarding command stops the IPSec to other sites from forming because both use port 500.
You answer in this post suggests that I could selectively choose what addresses NOT to forward if I configure a route-map with an ACL because I know the source addresses of the remote sites trying to form an IPSec with this router, but I do not know the IP addresses from where our employees try to connect to the VPN server.
Therefore, I wonder if this could work.
ip nat inside source static tcp 10.10.10.10 500 9.9.9.9 500 route-map VPN
!
!
access-list 120 deny udp host 1.1.1.1 eq isakmp host 9.9.9.9 eq isakmp
access-list 120 deny udp host 2.2.2.2 eq isakmp host 9.9.9.9 eq isakmp
access-list 120 deny udp host 3.3.3.3 eq isakmp host 9.9.9.9 eq isakmp
access-list 120 deny udp host 4.4.4.4 eq isakmp host 9.9.9.9 eq isakmp
access-list 120 permit ip any any
!
!
route-map VPN permit 10
match ip address 120
10.10.10.10 = The address of the VPN server
9.9.9.9 = The external address of the router given to me by the ISP
1.1.1.1, 2.2.2.2 and so on are the source addresses of the remote sites trying to form an IPSec with this router.
With this configuration I am hoping port forwarding will only work for users trying to reach the VPN server for authentication, but at the same time the negotiation to form an IPSec from the remote sites with this router will still go ahead and complete.
What do you or anyone think?
I have a discussion opened for this issues in case you prefer to answer there:
09-25-2016 04:52 AM
Hi Federico Coto,
I also have problem as you metioned that i could add a route-map to have port forwarding rule with VPN.
"ip nat inside source static tcp 192.168.1.2 8000 <IP public> 8000 route-map Bypass-NAT
Does it have any solutions cause i just have a dynamic IP public to do that?
thanks in advanced !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide