Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Natted port not accessible over VPN

i have natted port 80 of 192.168.10.145 on one of my public ip 50.200.x.x which is working fine. i also setup VPN between 2 routers (R1 192.168.10.1 and R2 192.168.24.1) which is also working fine, but when i access port 80 of 192.168.10.145 through 192.168.24.x i cannot access it. but i can access it through public IP 50.200.x.x.

i can ping 192.168.10.145 from 192.168.24.10 but i cannot access port 80 on 192.168.10.145 from 192.168.24.10

following is my config.

  1. track 10 ip sla 1 reachability
  2. delay down 1 up 1
  3. !
  4. track 20 ip sla 2 reachability
  5. delay down 1 up 1
  6. !
  7. !
  8. crypto isakmp policy 9
  9. encr 3des
  10. authentication pre-share
  11. group 2
  12. crypto isakmp key NetGearCisco address 203.130.x.x no-xauth
  13. crypto isakmp key NetGearCisco address 71.114.x.x no-xauth
  14. crypto isakmp key NetGearCisco address 162.17.x.x no-xauth
  15. !
  16. crypto isakmp client configuration group vpnclient
  17. key abc
  18. dns 192.168.10.15
  19. pool ippool
  20. acl acl_vpn
  21. !
  22. crypto ipsec security-association lifetime seconds 86400
  23. !
  24. crypto ipsec transform-set CISCOSET esp-3des esp-sha-hmac
  25. !
  26. crypto dynamic-map dynmap 10
  27. set transform-set CISCOSET
  28. !
  29. !
  30. crypto map vpn client authentication list default
  31. crypto map vpn isakmp authorization list groupauthor
  32. crypto map vpn client configuration address respond
  33. crypto map vpn 1 ipsec-isakmp
  34. set peer 203.130.x.x
  35. set transform-set CISCOSET
  36. match address acl_ncsvpn
  37. crypto map vpn 2 ipsec-isakmp
  38. set peer 71.114.x.x
  39. set transform-set CISCOSET
  40. match address acl_vpnairport20
  41. crypto map vpn 3 ipsec-isakmp
  42. set peer 162.17.x.x
  43. set transform-set CISCOSET
  44. match address acl_vpnairport24
  45. crypto map vpn 10 ipsec-isakmp dynamic dynmap
  46. !
  47. !
  48. !
  49. !
  50. !
  51. !
  52. interface GigabitEthernet0/0
  53. no ip address
  54. ip virtual-reassembly in
  55. duplex auto
  56. speed auto
  57. media-type rj45
  58. !
  59. interface GigabitEthernet0/0.7
  60. description Voice-Vlan
  61. encapsulation dot1Q 7
  62. ip address 192.168.7.1 255.255.255.0
  63. ip helper-address 192.168.10.15
  64. ip helper-address 192.168.10.16
  65. !
  66. interface GigabitEthernet0/0.8
  67. description IT-Vlan
  68. encapsulation dot1Q 8
  69. ip address 192.168.8.1 255.255.255.0
  70. ip helper-address 192.168.10.15
  71. ip helper-address 192.168.10.16
  72. ip nat inside
  73. ip virtual-reassembly in
  74. !
  75. interface GigabitEthernet0/0.9
  76. description Regency-Vlan
  77. encapsulation dot1Q 9
  78. ip address 192.168.9.1 255.255.255.0
  79. ip helper-address 192.168.10.15
  80. ip helper-address 192.168.10.16
  81. ip nat inside
  82. ip virtual-reassembly in
  83. !
  84. interface GigabitEthernet0/0.10
  85. description Servers-&-Switches-Vlan
  86. encapsulation dot1Q 10
  87. ip address 192.168.10.1 255.255.255.0
  88. ip helper-address 192.168.10.16
  89. no ip proxy-arp
  90. ip nat inside
  91. ip virtual-reassembly in
  92. ip policy route-map PBR
  93. !
  94. interface GigabitEthernet0/1
  95. no ip address
  96. shutdown
  97. duplex auto
  98. speed auto
  99. media-type rj45
  100. !
  101. interface FastEthernet0/0/1
  102. description "Comcast Fiber Link 30Mbps"
  103. ip address 50.200.x.x 255.255.255.240 secondary
  104. ip address 50.200.x.x 255.255.255.252
  105. ip nat outside
  106. ip virtual-reassembly in
  107. duplex full
  108. speed 100
  109. crypto map vpn
  110. !
  111. interface FastEthernet0/1/0
  112. description "Comcast Cable Link 12Mbps"
  113. ip address 70.88.x.x 255.255.255.248 secondary
  114. ip address 70.88.x.x 255.255.255.248
  115. ip nat outside
  116. ip virtual-reassembly in
  117. duplex auto
  118. speed auto
  119. !
  120. interface FastEthernet0/1/1
  121. no ip address
  122. duplex auto
  123. speed auto
  124. !
  125. !
  126. !
  127. ip local pool ippool 10.10.10.1 10.10.10.10
  128. ip forward-protocol nd
  129. no ip http server
  130. no ip http secure-server
  131. !
  132. !
  133. ip nat inside source route-map ISP1 interface FastEthernet0/0/1 overload
  134. ip nat inside source route-map ISP2 interface FastEthernet0/1/0 overload
  135. ip nat inside source static tcp 192.168.10.145 80 50.200.x.x 80 extendable
  136. ip route 0.0.0.0 0.0.0.0 50.200.x.x track 10
  137. ip route 0.0.0.0 0.0.0.0 70.88.x.x track 20
  138. !
  139. ip access-list extended acl_internet
  140. deny   ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  141. deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  142. permit ip 192.168.0.0 0.0.255.255 any
  143. ip access-list extended acl_natisp1
  144. deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  145. permit ip 192.168.0.0 0.0.255.255 any
  146. ip access-list extended acl_natisp2
  147. deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  148. permit ip 192.168.0.0 0.0.255.255 any
  149. ip access-list extended acl_ncsvpn
  150. permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255
  151. ip access-list extended acl_vpn
  152. permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  153. ip access-list extended acl_vpnairport20
  154. permit ip 192.168.0.0 0.0.255.255 192.168.20.0 0.0.0.255
  155. ip access-list extended acl_vpnairport24
  156. permit ip 192.168.0.0 0.0.255.255 192.168.24.0 0.0.0.255
  157. !
  158. ip radius source-interface GigabitEthernet0/0
  159. ip sla 1
  160. icmp-echo 50.200.x.x
  161. threshold 500
  162. timeout 500
  163. frequency 1
  164. ip sla schedule 1 life forever start-time now
  165. ip sla 2
  166. icmp-echo 70.88.x.x
  167. threshold 500
  168. timeout 500
  169. frequency 1
  170. ip sla schedule 2 life forever start-time now
  171. arp 192.168.10.48 03bf.c0a8.0a30 ARPA
  172. !
  173. !
  174. !
  175. !
  176. route-map PBR permit 10
  177. match ip address acl_natisp1
  178. set ip next-hop verify-availability 50.200.x.x 1 track 10
  179. !
  180. route-map PBR permit 20
  181. match ip address acl_natisp2
  182. set ip next-hop verify-availability 70.88.x.x 2 track 20
  183. !
  184. route-map ISP2 permit 10
  185. match ip address acl_internet
  186. match interface FastEthernet0/1/0
  187. !
  188. route-map ISP1 permit 10
  189. match ip address acl_internet
  190. match interface FastEthernet0/0/1
151
Views
0
Helpful
0
Replies
CreatePlease to create content