Thursday, February 18, 2016

cisco - IOS Port Forwarding and NAT involving a VPN



We have a Cisco 1921 router running IOS 15.1 at one of our branches which is connected via a L2L IPsec VPN to a ASA5510 running ASA 8.2 at our headquarters.




The network looks something like this:




192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24
                   |----L2L VPN----|


RT has NAT configured to let the local users there access the internet. The configuration looks like this:



crypto isakmp policy 10

 encr aes
 authentication pre-share
 group 2
crypto isakmp key SECRETKEY address HQ_ASA_IP
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 10 ipsec-isakmp
 set peer HQ_ASA_IP

 set transform-set ESP-AES-SHA
 match address 120
!


interface GigabitEthernet0/0
 ip address 192.168.14.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto

 speed auto
 no mop enabled
!

interface Dialer0
 mtu 1492
 ip address negotiated
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in

 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname SECRETUSERNAME
 ppp chap password 0 SECRETPASSWORD
 ppp pap sent-username SECRETUSERNAME password 0 SECRETPASSWORD
 crypto map outside_map
!


ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10
 match ip address 110
!

access-list 110 deny   ip 192.168.8.0 0.0.7.255 192.168.8.0 0.0.7.255
access-list 110 permit ip 192.168.14.0 0.0.0.255 any
access-list 120 permit ip 192.168.14.0 0.0.0.255 192.168.8.0 0.0.7.255

access-list 120 permit ip 192.168.8.0 0.0.7.255 192.168.14.0 0.0.0.255


Now we have a service which needs to be accessed from the internet on one of the hosts within the 192.168.14.0/24 network and have configured a port forwarding using the following command:



ip nat inside source static tcp 192.168.14.7 8181 EXT_IP 31337 extendable


The forwarding works and the service can be accessed via EXT_IP:1337 but we can no longer access 192.168.14.7:8181 via VPN from the 192.168.10.0/24 network while this worked just fine before the forwarding was in place.



Any hint on what I'm missing or why this behaves in such a way would be very much appreciated.


Answer




Here's a good writeup of the problem you are facing:



https://supportforums.cisco.com/docs/DOC-5061


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...