IPSEC VPN with static NAT

Unanswered Question
Mar 11th, 2010
User Badges:

So, I am trying to figure out how to make this VPN work with static nat. I read the instructions here:


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml


But when I try to do the same, I have issues. The VPN I have setup works just fine, but because I have another computer with port 22 NATed from the outside interface, The VPN users cannot reach that computer through that port. The instructions provide this line:


ip nat inside source static 10.1.1.3 200.1.1.25 route-map nonat


and the line I have is this:


ip nat inside source static tcp 192.168.1.5 22 interface Cable-Modem0/0/0 22


The problem I have is that since I have the interface Cable-Modem0/0/0, I cannot add the route-map <name> option. I cannot change the interface portion due to the fact that it is assigned a dynamic ip. Could someone point me in the right direction to figuring this out?



Thanks


-Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
danrbrady Fri, 03/12/2010 - 16:48
User Badges:

Nevermind. I seem to have fixed it. Here is what I did:


I used the trick that is used to forward a range of ports into the network. First, I started out by creating a NAT pool:


ip nat pool 192.168.1.x 192.168.1.x netmask 255.255.255.0 type rotary


Were "x" is the same number and equal to the inside computer you wish to forward ports to. I then created an extended access-list:



ip access-list extended

deny   ip 192.168.0.0 0.0.0.255 any

permit tcp any any eq 22

permit tcp any any eq www


Where the 192.168.0.0 is the subnet of the VPN and the following permits are the ports you wish to forward. Next, the command that ties these together:


ip nat inside destination list pool


Then I just removed these commands:


ip nat inside source static tcp 192.168.1.x 22 interface Cable-Modem0/0/0 22

ip nat inside source static tcp 192.168.1.x 80 interface Cable-Modem0/0/0 80


Now the ports can be accessed from both outside the network as well as from the VPN.


I hope this helps someone!


Thanks,

Dan

Herbert Baerten Sun, 03/14/2010 - 07:37
User Badges:
  • Cisco Employee,

Dan,


thanks for the follow-up. I'm just not sure I understand how you can still access port 22 from outside the vpn tunnel.

If I understand correctly, you no longer specify that Cable-Modem0/0/0 port 22 needs to be translated to 192.168.1.x port 22 ?


Herbert

Actions

This Discussion

Related Content