Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP STATIC IP port forwarding + VPN

Hello,

This is the 3rd time I have run accross this issue and have never been able to get this to work correctly. I am trying to forward a tcp port from the Internet to an internal server on the LAN (in the config below this works OK) However, this port # must also be accessible from the main site (172.16.1.0) via the VPN. The config below allows the port from the Internet but breaks it over the vpn.. what am I doing wrong ?

interface Loopback0

description INTERFACE TO BREAK STATIC NAT FOR VPN

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

description connected to Internet

ip address x.x.x.x 255.255.255.128

ip nat outside

half-duplex

crypto map vpn1

!

interface FastEthernet0

description connected to EthernetLAN

ip address 172.16.8.1 255.255.255.0

ip nat inside

ip policy route-map NO_STATIC

speed auto

!

ip nat inside source static tcp 172.16.8.5 6107 interface Ethernet0 6107

ip nat inside source route-map nonat1 interface Ethernet0 overload

!

access-list 105 permit ip 172.16.8.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 106 remark DENY DYNAMIC NAT FOR VPN AND STATIC

access-list 106 deny ip 172.16.8.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 106 permit ip 172.16.8.0 0.0.0.255 any

access-list 110 remark BREAK STATIC NAT FOR VPN

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

!

route-map NO_STATIC permit 10

match ip address 110

set ip next-hop 1.1.1.2

!

route-map nonat1 permit 5

match ip address 106

!

5 REPLIES
Cisco Employee

Re: TCP STATIC IP port forwarding + VPN

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You're trying not to NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

Cisco Employee

Re: TCP STATIC IP port forwarding + VPN

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You're trying not to NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

Cisco Employee

Re: TCP STATIC IP port forwarding + VPN

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You're trying not to NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

Cisco Employee

Re: TCP STATIC IP port forwarding + VPN

Try changing the following lines:

access-list 106 deny tcp host 172.16.8.5 any eq 6107

access-list 110 permit tcp host 172.16.8.5 172.16.1.0 0.0.0.255 eq 6107

to:

access-list 106 deny tcp host 172.16.8.5 eq 6107 any

access-list 110 permit tcp host 172.16.8.5 eq 6107 172.16.1.0 0.0.0.255

You want to not NAT the traffic that is coming FROM host 172.16.8.5, which would have the source port as 6107, not the destination port.

New Member

Re: TCP STATIC IP port forwarding + VPN

Thanks for pointing that out! Yes, that would make sense... I'll give it a try

441
Views
0
Helpful
5
Replies
CreatePlease to create content