Thursday, February 18, 2016

cisco - IOS Port Forwarding and NAT involving a VPN



We have a Cisco 1921 router running IOS 15.1 at one of our branches which is connected via a L2L IPsec VPN to a ASA5510 running ASA 8.2 at our headquarters.




The network looks something like this:




192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24
|----L2L VPN----|


RT has NAT configured to let the local users there access the internet. The configuration looks like this:



crypto isakmp policy 10

encr aes
authentication pre-share
group 2
crypto isakmp key SECRETKEY address HQ_ASA_IP
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 10 ipsec-isakmp
set peer HQ_ASA_IP

set transform-set ESP-AES-SHA
match address 120
!


interface GigabitEthernet0/0
ip address 192.168.14.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto

speed auto
no mop enabled
!

interface Dialer0
mtu 1492
ip address negotiated
ip access-group 101 in
ip nat outside
ip virtual-reassembly in

encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname SECRETUSERNAME
ppp chap password 0 SECRETPASSWORD
ppp pap sent-username SECRETUSERNAME password 0 SECRETPASSWORD
crypto map outside_map
!


ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10
match ip address 110
!

access-list 110 deny ip 192.168.8.0 0.0.7.255 192.168.8.0 0.0.7.255
access-list 110 permit ip 192.168.14.0 0.0.0.255 any
access-list 120 permit ip 192.168.14.0 0.0.0.255 192.168.8.0 0.0.7.255

access-list 120 permit ip 192.168.8.0 0.0.7.255 192.168.14.0 0.0.0.255


Now we have a service which needs to be accessed from the internet on one of the hosts within the 192.168.14.0/24 network and have configured a port forwarding using the following command:



ip nat inside source static tcp 192.168.14.7 8181 EXT_IP 31337 extendable


The forwarding works and the service can be accessed via EXT_IP:1337 but we can no longer access 192.168.14.7:8181 via VPN from the 192.168.10.0/24 network while this worked just fine before the forwarding was in place.



Any hint on what I'm missing or why this behaves in such a way would be very much appreciated.


Answer




Here's a good writeup of the problem you are facing:



https://supportforums.cisco.com/docs/DOC-5061


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...