Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Conditional Nat block user navigation

Hi, I have a problemi with conditional nat:

- I have a ISR 857 with a VPN site-to-site to another office

- I have a static nat rule on port 5632 to allow remote connection

- Using the "simple" static nat the port 5632 was unavaible when connecting throught vpn

- When i use conditional NAT (route-map) NAT works on vpn and outside interface, but users can't access internate. Can someone help me? Best regards

What's wrong in my configuration to allow:

- outside connection to port 5632

- allow connection throught VPN to port 5632

- allow inside user dynamic nat to internet

Here's my usefull configuration:

####################################

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key SuperPassword addressXX.XX.XX.XX

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toXX.XX.XX.XX

set peer XX.XX.XX.XX

set transform-set ESP-3DES-SHA

match address 101

!

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.3 point-to-point

description $ES_WAN$$FW_OUTSIDE$

ip address YY.YY.YY.YY 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

pvc 8/35

  encapsulation aal5snap

!

crypto map SDM_CMAP_1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.11.99 255.255.255.0

ip access-group 111 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 ATM0.3

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source static tcp 192.168.11.2 1723 interface ATM0.3 1723

ip nat inside source static tcp 192.168.11.2 3389 interface ATM0.3 13389

ip nat inside source static tcp 192.168.11.1 22 interface ATM0.3 10022

ip nat inside source route-map SDM_RMAP_1 interface ATM0.3 overload

ip nat inside source static tcp 192.168.11.1 5632 YY.YY.YY.YY 5632 route-map NAT-POL extendable

!

ip access-list extended NAT

deny   ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.11.0 0.0.0.255 any

!

access-list 1 permit 192.168.11.0 0.0.0.255

access-list 1 remark SDM_ACL Category=16

access-list 23 permit any

access-list 23 remark SDM_ACL Category=17

access-list 100 remark SDM_ACL Category=2

access-list 100 remark IPSec Rule

access-list 100 deny   ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip 192.168.11.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 deny   udp host 192.168.11.221 eq 46881 any

access-list 111 permit ip any any

no cdp run

route-map NAT-POL permit 10

match ip address NAT

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

####################################

Best regards

  • VPN
194
Views
0
Helpful
0
Replies
This widget could not be displayed.