Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4557
Views
5
Helpful
2
Replies

IPSEC VPN with static NAT

danrbrady
Level 1
Level 1

‎03-11-2010 10:08 PM - edited ‎02-21-2020 04:32 PM

So, I am trying to figure out how to make this VPN work with static nat. I read the instructions here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

But when I try to do the same, I have issues. The VPN I have setup works just fine, but because I have another computer with port 22 NATed from the outside interface, The VPN users cannot reach that computer through that port. The instructions provide this line:

ip nat inside source static 10.1.1.3 200.1.1.25 route-map nonat

and the line I have is this:

ip nat inside source static tcp 192.168.1.5 22 interface Cable-Modem0/0/0 22

The problem I have is that since I have the interface Cable-Modem0/0/0, I cannot add the route-map <name> option. I cannot change the interface portion due to the fact that it is assigned a dynamic ip. Could someone point me in the right direction to figuring this out?

Thanks

-Dan

Labels:
0 Helpful
2 Replies 2

danrbrady
Level 1
Level 1

‎03-12-2010 04:48 PM

Nevermind. I seem to have fixed it. Here is what I did:

I used the trick that is used to forward a range of ports into the network. First, I started out by creating a NAT pool:

ip nat pool 192.168.1.x 192.168.1.x netmask 255.255.255.0 type rotary

Were "x" is the same number and equal to the inside computer you wish to forward ports to. I then created an extended access-list:

ip access-list extended

deny   ip 192.168.0.0 0.0.0.255 any

permit tcp any any eq 22

permit tcp any any eq www

Where the 192.168.0.0 is the subnet of the VPN and the following permits are the ports you wish to forward. Next, the command that ties these together:

ip nat inside destination list pool

Then I just removed these commands:

ip nat inside source static tcp 192.168.1.x 22 interface Cable-Modem0/0/0 22

ip nat inside source static tcp 192.168.1.x 80 interface Cable-Modem0/0/0 80

Now the ports can be accessed from both outside the network as well as from the VPN.

I hope this helps someone!

Thanks,

Dan

Herbert Baerten
Cisco Employee
Cisco Employee
In response to danrbrady

‎03-14-2010 07:37 AM

Dan,

thanks for the follow-up. I'm just not sure I understand how you can still access port 22 from outside the vpn tunnel.

If I understand correctly, you no longer specify that Cable-Modem0/0/0 port 22 needs to be translated to 192.168.1.x port 22 ?

Herbert

0 Helpful
Customers Also Viewed These Support Documents