Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSEC VPN with static NAT

So, I am trying to figure out how to make this VPN work with static nat. I read the instructions here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

But when I try to do the same, I have issues. The VPN I have setup works just fine, but because I have another computer with port 22 NATed from the outside interface, The VPN users cannot reach that computer through that port. The instructions provide this line:

ip nat inside source static 10.1.1.3 200.1.1.25 route-map nonat

and the line I have is this:

ip nat inside source static tcp 192.168.1.5 22 interface Cable-Modem0/0/0 22

The problem I have is that since I have the interface Cable-Modem0/0/0, I cannot add the route-map <name> option. I cannot change the interface portion due to the fact that it is assigned a dynamic ip. Could someone point me in the right direction to figuring this out?

Thanks

-Dan

Everyone's tags (6)
2 REPLIES
Community Member

Re: IPSEC VPN with static NAT

Nevermind. I seem to have fixed it. Here is what I did:

I used the trick that is used to forward a range of ports into the network. First, I started out by creating a NAT pool:

ip nat pool 192.168.1.x 192.168.1.x netmask 255.255.255.0 type rotary

Were "x" is the same number and equal to the inside computer you wish to forward ports to. I then created an extended access-list:

ip access-list extended

deny   ip 192.168.0.0 0.0.0.255 any

permit tcp any any eq 22

permit tcp any any eq www

Where the 192.168.0.0 is the subnet of the VPN and the following permits are the ports you wish to forward. Next, the command that ties these together:

ip nat inside destination list pool

Then I just removed these commands:

ip nat inside source static tcp 192.168.1.x 22 interface Cable-Modem0/0/0 22

ip nat inside source static tcp 192.168.1.x 80 interface Cable-Modem0/0/0 80

Now the ports can be accessed from both outside the network as well as from the VPN.

I hope this helps someone!

Thanks,

Dan

Cisco Employee

Re: IPSEC VPN with static NAT

Dan,

thanks for the follow-up. I'm just not sure I understand how you can still access port 22 from outside the vpn tunnel.

If I understand correctly, you no longer specify that Cable-Modem0/0/0 port 22 needs to be translated to 192.168.1.x port 22 ?

Herbert

3611
Views
5
Helpful
2
Replies
CreatePlease to create content