12-01-2010 10:24 AM
Hi,
I have a Cisco ASA 5520. I need to configure port forwarding on the vpn tunnel. Eg. i have almost 100 L2L vpn tunnels. Any clients hitting my LAN ip 192.168.1.1 on port 21, my ASA should forward that port 21 traffic to 192.168.2.1. Is it possible on the VPN? Please let me the configuration. If that doesn't work, lemme know any you suggestions on this. Please note that, any other traffic if client is hitting 192.168.1.1:80 it should not forward.
Requirement
172.16.1.1 (client) -----> 192.168.1.1:21 -----> 192.168.2.1:21
12-01-2010 10:30 AM
Hi,
Port forwarding will work over VPN if you're NATing through the tunnel (VPN traffic not included in NAT exemption)
static (in,out) tcp 192.168.1.1 21 192.168.2.1 21
The above will redirect all TCP 21 coming to 192.168.1.1 to 192.168.2.1
If the VPN client uses 192.168.1.1 to reach 192.168.2.1, it should work.
Federico.
12-01-2010 06:52 PM
Thanks for the response. Let me try this in my lab in a day or two before configuring them on LIVE. But as mentioned, any other traffic if client is hitting
192.168.1.1:80, it should be forwarding to a different server say 192.168.3.1:80 or may be i can use it on some other server to re-direct. That should also work.
Let me know if that too is possible
If port port 21 port forwarding rule is applied, there will be no change in the existing access-list on the vpn tunnel (which is already in place) as this rule will forward only when it receives port 21 traffic from the client isn't?
or
any change required in the access-list?
ie.
while my existing configuration (which you have suggested) is in place, Client ----> 192.168.1.1:21 ----> 192.168.2.1:21
when i do port forwarding on the same server using different port say port 80 (as mentioned below) should also work
Client -----> 192.168.1.1:80 (this will open the web page on this server itself without re-directing to any other)
or
Client -----> 192.168.1.1:80 -----> 192.168.3.1:80 (which has to re-direct to any other server)
12-02-2010 05:51 AM
Yes.
You can use port forwarding to define other ports using the same IP as you mentioned.
For this to work is because you are doing NAT through the tunnel... meaning the access-list for VPN is directed to the NAT IP.
Federico.
12-02-2010 06:11 AM
Thanks. Could you just provide me a sample configuration of the access-list which i need to use on the vpn tunnel or any other configuration required for port forwarding?
Below is my vpn configuration in addition to your suggested port forwarding configuration (PAT) for your understand of my current configuration.
interface GigabitEthernet0/0
description OUTSIDE INTERFACE
speed 100
duplex full
nameif outside
security-level 0
ip address 124.123.122.254 255.255.255.0
interface GigabitEthernet0/1
description INSIDE INTERFACE
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
access-list VPN-CLIENT extended permit ip host 192.168.1.1 host 172.16.1.1
access-list NONAT extended permit ip host 192.168.1.1 host 172.16.1.1
access-list in2out extended permit ip any any
static (inside,outside) tcp 192.168.1.1 21 192.168.2.1 21
global (outside) 1 124.123.122.1 netmask 255.255.255.255
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.1.0 255.255.255.0
access-group out2in in interface outside
access-group in2out in interface inside
Client IP - 172.16.1.1
My Server - 192.168.1.1
My FTP Server ip - 192.168.2.1
12-02-2010 10:40 AM
The problem that I see is the following:
Client IP - 172.16.1.1
My Server - 192.168.1.1
My FTP Server ip - 192.168.2.1
The ASA will receive the VPN traffic from 172.16.1.1
The ASA have a NAT exemption rule to forward the traffic to 192.168.1.1
After the ASA forwards the packets to 192.168.1.1, the ASA is not going to manipulate the packets again to be able to redirect the packets to 192.168.2.1
ie.
If the ASA receives a packet on its outside interface, it can redirect those packets to an internal IP using port forwarding.
The difference here is that you're telling the ASA to send the packets to a host already on the inside 192.168.1.1 and the redirect those packets again.
Federico.
12-02-2010 07:16 PM
Does it mean that it will work only when i have 192.168.2.1 server on the DMZ port on the same ASA?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: