Site to Site VPN and Port Forward

Unanswered Question
Sep 1st, 2008

Hi,

Setup:

I have 10 sites using 877's, latest IOS 12.4.T, and all are in a mesh configuration.

Each site also has a port forward rule SMTP rule from the internet to the local Exchange 2007 server.

Problem:

My issue is that if I telnet to port 25 on an Exchange server in a different site the connection fails due to some sort of conflict with the remote port forward rule. Remove the port forward rule in the remote site and the connection works.

Is there anyway around this problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Mon, 09/01/2008 - 07:26

make aditional line for port forwarding

like maping port 250 to internal 25

inotherwords play with ports to avoid conflcting

apstownsend Mon, 09/01/2008 - 07:57

Thanks for the reply.

If I map 25 outside to 25000 internal the server doesn't respond!

Is there anyway of doing this without changing ports etc?

jpoplawski Tue, 09/02/2008 - 13:11

We ran into this situation with Site to Site VPN's and Static NAT entries. The router is attempting to "un-nat" the VPN-ed traffic and push it back to the outside interface NAT translation. Here's what I did to overcome it.

Setup a Loopback Interface:

interface Loopback0

ip address 1.1.1.1 255.255.255.0

Create an ACL for the traffic to go backwards:

access-list 177 permit ip host 10.0.1.20 10.0.2.0 0.0.0.255

where 10.0.1.20 = local server

Where 10.0.2.0 = remote subnet (perhaps your HQ)

Create Policy Based Routing

route-map PBR permit 10

match ip address 177

set ip next-hop 1.1.1.2

Apply PBR to inside interface

interface Vlan1

ip policy route-map PBR

This effectively tells the router to use the loopback to go through the tunnel, instead of using the outside NAT translation.

My explanation could probably be better explained, but I know this works from previous experience. You will obviously have to modify the config to meet your needs.

A different approach to overcome this issue can be found here: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

Cheers, rate me if this helps!

JB

Actions

This Discussion