1

I have a Cisco router that we have people VPN into. Everything works great until they try to connect to a port that is statically mapped to the outside for example I have a mail host that is accessible to the outside world on port 25. To achieve this I have the following in my config.

ip nat inside source static tcp 192.168.x.x 25 interface myinterface 25

when I am connected to the vpn I can ping the host 192.168.x.x but I can't connect to port 25. people inside the network can connect to the port and it is available to the internet at the interface address.What am I missing? Thanks in advance for the help

trent
  • 3,114
  • 19
  • 17
  • When the VPN is up can you hit port 25 on the external interface address? – tomjedrz Nov 18 '09 at 18:26
  • Yes you can access it on the external interface address. I would just like to know how to have the static map ignored for the vpn – trent Nov 18 '09 at 18:52

2 Answers2

1

Never done exactly what you want. But I think it might be that you would just make a static nat entry using a route map. And then in the route map, have match ACL_NUMBER. Then in that ACL, don't permit the VPN traffic.

This Cisco post might help you.

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
  • Actually, you might be able to do it for a source list as well. ip nat inside source list.... – Kyle Brandt Nov 18 '09 at 19:47
  • I think that will work just testing it now – trent Nov 18 '09 at 20:12
  • The rule that did it for me was ip nat inside source static tcp 192.168.x.x 25 outsideip 25 route-map nonat extendable I then created route-map nonat deny 10 match ip address 110 and then put in access-lit 110 deny ip myvpnaddress 0.0.0.255 192.168.x.x – trent Nov 18 '09 at 21:40
0

I suspect that the NAT is taking precedence over the VPN. When you ping the 192.168.x.x through the VPN, the return traffic hits the firewall and sends it through the VPN. When you try and use port 25, I expect that the return traffic hits the firewall and is NAT'ed instead of going through the firewall.

I don't know the ins and outs of IOS, but you should be able to change the precedence and have the VPN operate "above" NAT. There may also be setting on the VPN config telling it to ignore NAT in the VPNs.

tomjedrz
  • 5,974
  • 1
  • 16
  • 26