09-18-2007 10:36 AM
Hi,
My configuration is as follows:
Central location, (ASA 5520) is connected with branch office running 2811 router via IPSec VPN. The router has a single IP address available so PAT is in place on outside interface. I have configured VPN tunnel with main office and it is functional. In the branch office network i have a server running services on 80,443 and 1352 ports. These server ports are being translated to outside router ip address. These services are accessible from the outside but when i try to access these ports on server through VPN tunnel, i get no response.
I know this is because i have static translation to outside interface for these ports. What i need to be able to do is to access server both from public and from corporate network on these ports. How can i configure router in order to achieve this? I have tried applying ip policy route-map command on inside interface and tried to redirect server traffic to loopback interface, but no success..
Here ir the relevant config of the router:
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3)
crypto isakmp policy 3
encr aes
hash md5
authentication pre-share
group 5
crypto isakmp key ******** address 198.67.x.x no-xauth
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
!
crypto map VPN_Tunnel 1 ipsec-isakmp
description Tunnel to HQ
set peer 198.67.x.x
set transform-set ESP-AES-MD5
match address Tunnel_Traffic
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 192.168.46.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Outside Interface
ip address 208.73.x.x 255.255.255.252
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map VPN_Tunnel
!
ip route 0.0.0.0 0.0.0.0 208.73.x.x
!
ip nat translation timeout 90
ip nat inside source static tcp 192.168.46.2 1352 interface FastEthernet0/1 1352
ip nat inside source static tcp 192.168.46.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.46.2 443 interface FastEthernet0/1 443
ip nat inside source route-map VPNTunnel interface FastEthernet0/1 overload
!
ip access-list extended Tunnel_Divert
remark This ACL diverts traffic to the VPN tunnel
deny ip 192.168.46.0 0.0.0.255 192.168.192.0 0.0.63.255
deny ip 192.168.46.0 0.0.0.255 140.85.0.0 0.0.255.255
deny ip 192.168.46.0 0.0.0.255 141.146.128.0 0.0.127.255
permit ip 192.168.46.0 0.0.0.255 any
ip access-list extended Tunnel_Traffic
remark This ACL allows the proper traffic through the tunnel
permit ip 192.168.46.0 0.0.0.255 192.168.192.0 0.0.63.255
permit ip 192.168.46.0 0.0.0.255 141.146.128.0 0.0.127.255
permit ip 192.168.46.0 0.0.0.255 140.85.0.0 0.0.255.255
!
route-map VPNTunnel permit 1
match ip address Tunnel_Divert
!
!
Thanks
09-19-2007 07:17 PM
Hi,
You are correct indeed. In NAT order of operation, static translation is the one considered first before dynamic translation. The no nat configuration mentioned by your route-map VPNTunnel is bypassed by the static translations for 80,443 and 1352 ports. The problem is that you cannot do policy nat (adding a route-map statement) if you are doing port redirection :
ip nat inside source static tcp 192.168.46.2 1352 interface FastEthernet0/1 1352
ip nat inside source static tcp 192.168.46.2 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.46.2 443 interface FastEthernet0/1 443
You can only do policy nat provided that your server 192.168.46.2 would have a dedicated ip address, example:
ip nat inside source static 192.168.46.2 208.73.x.2 route-map nonat
!
access-list 150 deny ip host 192.168.46.2 192.168.192.0 0.0.63.255
access-list 150 deny ip host 192.168.46.2 141.146.128.0 0.0.127.255
access-list 150 deny ip host 192.168.46.2 140.85.0.0 0.0.255.255
access-list 150 permit ip host 192.168.46.2 any
!
route-map nonat permit 10
match ip address 150
*limiting the access from the internet would be the role of the access-list applied on the public interface.
The only solution from my opinion is to access your server 192.168.46.2 via translated ip on the tunnel as the translation could not be bypass:
1. Put the translated ip as part of your interesting traffic:
ip access-list extended Tunnel_Traffic
remark This ACL allows the proper traffic through the tunnel
permit tcp host 208.73.x.x 192.168.192.0 0.0.63.255 eq 80
permit tcp host 208.73.x.x 141.146.128.0 0.0.127.255 eq 443
permit tcp host 208.73.x.x 140.85.0.0 0.0.255.255 eq 1352
Hope this helps....
Cheers,
lapascua
09-21-2007 12:23 AM
Thanks, I'll give it a shot and post the outcome.
02-17-2008 12:28 PM
Sorry for not reporting earlier. The proposed solution did not work.
03-19-2009 11:31 PM
Hi,
Did you manage to find a resolution to this problem?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide