We have a Cisco 1921 router running IOS 15.1 at one of our branches which is connected via a L2L IPsec VPN to a ASA5510 running ASA 8.2 at our headquarters.
The network looks something like this:
192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24
|----L2L VPN----|
RT has NAT configured to let the local users there access the internet. The configuration looks like this:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key SECRETKEY address HQ_ASA_IP
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 10 ipsec-isakmp
set peer HQ_ASA_IP
set transform-set ESP-AES-SHA
match address 120
!
interface GigabitEthernet0/0
ip address 192.168.14.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname SECRETUSERNAME
ppp chap password 0 SECRETPASSWORD
ppp pap sent-username SECRETUSERNAME password 0 SECRETPASSWORD
crypto map outside_map
!
ip nat inside source route-map nonat interface Dialer0 overload
route-map nonat permit 10
match ip address 110
!
access-list 110 deny ip 192.168.8.0 0.0.7.255 192.168.8.0 0.0.7.255
access-list 110 permit ip 192.168.14.0 0.0.0.255 any
access-list 120 permit ip 192.168.14.0 0.0.0.255 192.168.8.0 0.0.7.255
access-list 120 permit ip 192.168.8.0 0.0.7.255 192.168.14.0 0.0.0.255
Now we have a service which needs to be accessed from the internet on one of the hosts within the 192.168.14.0/24 network and have configured a port forwarding using the following command:
ip nat inside source static tcp 192.168.14.7 8181 EXT_IP 31337 extendable
The forwarding works and the service can be accessed via EXT_IP:1337 but we can no longer access 192.168.14.7:8181 via VPN from the 192.168.10.0/24 network while this worked just fine before the forwarding was in place.
Any hint on what I'm missing or why this behaves in such a way would be very much appreciated.
Answer
Here's a good writeup of the problem you are facing:
https://supportforums.cisco.com/docs/DOC-5061
No comments:
Post a Comment