• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 505
  • Last Modified:

Cisco router 87x - Combining NAT & VPNs

Hi,

We have Cisco 87x routers and 2 sites lets call them siteA and siteB.  There is a Cisco VPN tunnel between siteA and siteB setup using the SDM Wizard.

The problem we have is if we create any incoming NAT rules like the following -
At SiteA incoming NAT rule for SMTP to 192.168.0.1
Then from SiteB no-one can connect to SMTP at 192.168.0.1

This is the same for any NAT rule I create coming into SiteA then becomes unavailable for SiteB users.  Why is this?  What can I do about it?

Thankyou


0
nmxsupport
Asked:
nmxsupport
  • 5
  • 5
1 Solution
 
JFrederick29Commented:
You can exclude the servers from NAT when talking to the SiteB subnet.

For example:

conf t
ip access-list ext static-no-nat
deny ip any 192.168.x.0 0.0.0.255   <--site B subnet
permit ip any any

route-map static-no-nat permit 10
 match ip address static-no-nat

no ip nat inside source static tcp 192.168.0.1 25 x.x.x.x 25
ip nat inside source static tcp 192.168.0.1 25 x.x.x.x 25 route-map static-no-nat
0
 
nmxsupportAuthor Commented:
Unfortunately it looks like the 800 series routers may not support the "route-map" command
I tried but it said % invalid input at the "route-map" command
0
 
JFrederick29Commented:
The route-map on the static NAT statement or just adding the route-map?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
nmxsupportAuthor Commented:
It was the route-map on the static NAT statement
0
 
JFrederick29Commented:
Yeah, figured, you'll need to upgrade for it to work.  Can you post a "show version"?
0
 
nmxsupportAuthor Commented:
I found out the route-map command is not valid with my static IP addresses with the following line
ip nat inside source statip tcp 192.168.1.1 25 interface Dialer0 25
but will work with the following
ip nat inside source static tcp 192.168.1.1 25 81.201.22.11 25  
0
 
JFrederick29Commented:
Yeah, sorry, should have mentioned.  I assumed you were specifying an IP address.  Does it take care of the issue using that config?
0
 
nmxsupportAuthor Commented:
I have overlooked this issue I will have another go if JFrederick29 is still available to assist?
0
 
JFrederick29Commented:
Yep, I am available.  Let me know if that config works.
0
 
nmxsupportAuthor Commented:
Yes worked fine thankyou.
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now