Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Static public to private route not returning to source

Hello all,

First thing is my apology for making this so long but wanted to cover all the bases.

I currently use a Cisco 1800 router for VPN to my vendor. The vendor initiates the tunnel using interesting traffic with a specific port. This is where it gets confusing. They establish the tunnel from their peer IP to my outside FE0/1 interface by sending a packet to second public IP. I use static routing that maps the second public IP to the private IP of my host server (runs a communication application) through my FE0/0 interface.

When we test both phases of the tunnel come up and I see where the second public IP is translated. My application accepts the connection through the port. The issue is when my application tries to send the acknowledgement back it fails. Its as though the app doesn't know how to get the response back to the router and out the VPN tunnel. My vendor sees the application start then it immediately terminates. I'm not sure if the problem is with my router configuration or something on their end. The problem is not VPN related but something with routing

Application Server IP - 192.168.1.1

FE0/0 - 192.168.1.2

FE0/1 - 1.1.1.189

Vendor VPN Peer IP - 2.2.2.254

Vendor Host IP - 3.3.3.172

My Host IP - 1.1.1.141

Here is a brief excerpt from my config

First the interfaces:

interface FastEthernet0/0

 ip address 192.168.1.2 255.255.255.0

 ip nat inside

interface FastEthernet0/1

  ip address 1.1.1.189 255.255.255.192

 ip access-group 101 in

 ip access-group 102 out

 ip nat outside

 crypto map xxx

My Crypto Map

crypto isakmp policy 2

 encr aes 256

 authentication pre-share

 group 5

 lifetime 28800

crypto isakmp key xxx address 2.2.2.254

crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac

crypto map xxx 1 ipsec-isakmp

 description Encrypted Tunnel to

 set peer 2.2.2.254

 set transform-set VPN

 match address 100

The access-list:

access-list 100 Remark Traffic through VPN Tunnel

access-list 100 permit tcp host 1.1.1.141 host 3.3.3.172

access-list 101 Remark Allowed Traffic IN FE/1

access-list 101 permit tcp host 3.3.3.172 any

access-list 101 permit ip host 2.2.2.254 any

access-list 102 Remark Allowed Traffic OUT FE/1

access-list 102 permit tcp any host 3.3.3.172

access-list 102 permit ip any host 2.2.2.254

access-list 103 Remark Route-Map NoNat Allowed Traffic

access-list 103 deny   ip host 1.1.1.141 host 206.x.x.x

access-list 103 permit tcp host 1.1.1.141 any

access-list 103 permit tcp host 192.168.1.1 any

route-map nonat permit 10

 match ip address 103

The Static routes:

ip classless

ip route 0.0.0.0 0.0.0.0 1.1.1.129 (This is my default gateway from my ISP)

ip route 2.2.2.254 255.255.255.255 1.1.1.129

ip route 3.3.3.172 255.255.255.255 1.1.1.129

My NAT commands:

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.1 1234 1.1.1.141 1234 extendable

 

Appreciate any help here. Am I doing something wrong or trying to find a needle in a haystack?

 

Thanks,

Dennis

29
Views
0
Helpful
0
Replies
CreatePlease to create content