Cisco – IOS Port Forwarding and NAT involving a VPN

ciscocisco-asaiosnat;vpn

We have a Cisco 1921 router running IOS 15.1 at one of our branches which is connected via a L2L IPsec VPN to a ASA5510 running ASA 8.2 at our headquarters.

The network looks something like this:

192.168.14.0/24 - RT - Internet - ASA - 192.168.10.0/24
                   |----L2L VPN----|

RT has NAT configured to let the local users there access the internet. The configuration looks like this:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key SECRETKEY address HQ_ASA_IP
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 10 ipsec-isakmp
 set peer HQ_ASA_IP
 set transform-set ESP-AES-SHA
 match address 120
!


interface GigabitEthernet0/0
 ip address 192.168.14.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!

interface Dialer0
 mtu 1492
 ip address negotiated
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname SECRETUSERNAME
 ppp chap password 0 SECRETPASSWORD
 ppp pap sent-username SECRETUSERNAME password 0 SECRETPASSWORD
 crypto map outside_map
!

ip nat inside source route-map nonat interface Dialer0 overload

route-map nonat permit 10
 match ip address 110
!

access-list 110 deny   ip 192.168.8.0 0.0.7.255 192.168.8.0 0.0.7.255
access-list 110 permit ip 192.168.14.0 0.0.0.255 any
access-list 120 permit ip 192.168.14.0 0.0.0.255 192.168.8.0 0.0.7.255
access-list 120 permit ip 192.168.8.0 0.0.7.255 192.168.14.0 0.0.0.255

Now we have a service which needs to be accessed from the internet on one of the hosts within the 192.168.14.0/24 network and have configured a port forwarding using the following command:

ip nat inside source static tcp 192.168.14.7 8181 EXT_IP 31337 extendable

The forwarding works and the service can be accessed via EXT_IP:1337 but we can no longer access 192.168.14.7:8181 via VPN from the 192.168.10.0/24 network while this worked just fine before the forwarding was in place.

Any hint on what I'm missing or why this behaves in such a way would be very much appreciated.

Best Answer

Here's a good writeup of the problem you are facing:

https://supportforums.cisco.com/docs/DOC-5061

Related Topic