NAT on IPSec tunnel between 2x IOS routers (877)

Answered Question
Aug 25th, 2008
User Badges:

Hi All,

We have a customer with 2x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The issue is the inbound static NAT translations causes problems with the tunnel - port 25 is mapped to the Inside address of the mail server. The existing config works fine for inbound mail, but prevents users from accessing the mailserver directly (using the private IP) on port 25.


Here's the NAT Config:


ip nat pool INET_POOL <publicIP> <publicIP> netmask 255.255.255.252

ip nat inside source route-map INET_NAT pool INET_POOL overload

ip nat inside source static tcp 10.10.0.8 25 <publicIP> 25 extendable

ip nat inside source static tcp 10.10.0.8 80 <publicIP> 80 extendable

ip nat inside source static tcp 10.10.0.8 443 <publicIP> 443 extendable

ip nat inside source static tcp 10.10.0.7 1433 <publicIP> 1433 extendable

ip nat inside source static tcp 10.10.0.7 3389 <publicIP> 3389 extendable


route-map INET_NAT permit 1

match ip address 101


access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.0.0 0.0.0.255 any



On ASA's I would setup a NAT exemption, but how can I achieve the same thing in IOS?


Cheers,

Luke

Correct Answer by Farrukh Haroon about 8 years 9 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

Hello, my name is Nelson and I have the some problem.

I have a customer with a VPN working just fine. He can access the remote PCs (3389 port) via VPN without any problem. Now, they ask us to open 3389 to a particular outside IP (from Internet). The question is that when I configure the static pat for 3389 port, the customer loses the access via VPN to 3389 port of remote PC because of the static nat.


ip nat inside source static tcp 192.2.100.1 3389 3389 extendable


How can I open the 3389 to the external IP (from the Internet) and keep the access to remote sites of the customes ?

Any idea ?


Best regards,

Nelson

Farrukh Haroon Thu, 08/28/2008 - 03:15
User Badges:
  • Red, 2250 points or more

You have to post more details about your setup.


Regards


Farrukh

This is the configuration I have in one site:


«

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp keepalive 10

!

crypto isakmp peer address

set aggressive-mode password xxx

set aggressive-mode client-endpoint fqdn 110.110.iteuve.oni.pt

!

!

crypto ipsec transform-set iteuve esp-3des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map IPSECMAP 10 ipsec-isakmp

set peer

set transform-set iteuve

match address 111

!

!

!

!

interface Ethernet0

ip address 192.2.100.254 255.255.255.0

ip nat inside

ip tcp adjust-mss 1300

no cdp enable

hold-queue 100 out

!

interface BRI0

no ip address

shutdown

no cdp enable

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

no cdp enable

ppp authentication pap chap callin

ppp pap sent-username [email protected] password xxx

ppp ipcp dns request

ppp ipcp wins request

crypto map IPSECMAP

!

ip nat inside source list 169 interface Dialer1 overload

ip nat inside source static tcp 192.2.100.1 3389 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

!

access-list 111 permit tcp 192.2.100.0 0.0.0.255 any eq pop3

access-list 111 permit tcp 192.2.100.0 0.0.0.255 any eq smtp

access-list 111 permit udp 192.2.100.0 0.0.0.255 any eq domain

access-list 111 permit tcp 192.2.100.0 0.0.0.255 any eq 123

access-list 111 permit ip 192.2.100.0 0.0.0.255 host

access-list 111 permit ip 192.2.100.0 0.0.0.255 host

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq 8080

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq 8080

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit udp 192.2.100.0 0.0.0.255 host eq 8080

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq 8080

access-list 111 permit tcp 192.2.100.0 0.0.0.255 host eq www

access-list 111 permit ip 192.2.100.0 0.0.0.255 host

access-list 111 permit ip 192.2.100.0 0.0.0.255 192.2.0.0 0.0.255.255

access-list 169 permit tcp 192.2.100.0 0.0.0.255 any eq pop3

access-list 169 permit tcp 192.2.100.0 0.0.0.255 any eq smtp

access-list 169 deny ip 192.2.100.0 0.0.0.255 any

dialer-list 1 protocol ip permit

»


When I put the static nat line the customer can not remote access (3389 port) to the PC with IP 192.2.100.1 via VPN (starting the session from another site).

Actions

This Discussion