Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static PAT entry blocking Branch site from accessing resource on same port. How to get around this?

Hello, I have a UC560 and UC540 connected using an IPSec Site to Site tunnel.

 

There is a server on the main site they are trying to access (lets say IP is 192.168.1.252) and they need to access this server on ports 13000, 14000, and 15000.

 

Unfortunately, since there are users from the internet and other places that need to access this server on these ports, these static pat entries are in the server (Lets say 99.99.99.99 is the WAN IP):

ip nat inside source static tcp 192.168.1.252 13000 99.99.99.99 13000 extendable
ip nat inside source static tcp 192.168.1.252 14000 99.99.99.99 14000 extendable
ip nat inside source static tcp 192.168.1.252 15000 99.99.99.99 15000 extendable

 

 

The users in the branch site that is connected via VPN can reach this server on all TCP ports(RDP, http, etc) so that's not the issue. When I remove these nat statements, the VPN users can access the resource via that port (I.e telnet 192.168.1.252 13000 ) whereas they are shut down and connection fails if the static pat entries are in there.

I need to have outside users and VPN users be able to access this server whether they are coming in across the VPN goin to 192.168.1.252:13000 or coming in from the internet on 99.99.99.99:13000

 

Is there a way around this other than forcing the VPN users to access this server via the WAN IP for these ports? And does anyone know the logic behind this? I'm curious. From what I've seen in other cases, this is expected behavior, I'd just like a better understanding of it.

 

Any help on this would be GREATLY appreciated! Thank you

 

1 REPLY
New Member

I hope I explained this

I hope I explained this properly. If not, please let me know!

 

Thanks

44
Views
0
Helpful
1
Replies
CreatePlease login to create content