Cisco 837 VPN, NAT and Port Forwarding

Cisco 837 VPN, NAT and Port Forwarding
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Cisco 837 VPN, NAT and Port Forwarding Weili 02-27-2005
Posted by Weili on February 27, 2005, 7:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi, I have such a home and office network:

192.168.201.0/24 --[ Cisco 837 Router A ]--Internet--
[192.168.201.254 61.X.X.204]

[ Cisco 831 Router B] ---- [ Firewall ] ---- 192.168.129.0/24
[203.x.x.18 172.x.x.133] 172.x.x.134 192.168.129.1]

Here are part of config file on router A:

crypto map agentisvpn 10 ipsec-isakmp
set peer 203.x.x.18
set transform-set agentis
match address 115

interface Dialer1
ip address negotiated
ip access-group 112 in
ip mtu 1492
ip nat outside

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.201.253 110 interface Dialer1
110
ip nat inside source static tcp 192.168.201.253 25 interface Dialer1
25


access-list 102 deny ip 192.168.201.0 0.0.0.255 192.168.129.0
0.0.0.255
access-list 102 deny ip 192.168.201.0 0.0.0.255 172.16.0.132 0.0.0.3
access-list 102 permit ip 192.168.201.0 0.0.0.255 any

access-list 115 permit ip 192.168.201.0 0.0.0.255 172.16.0.132 0.0.0.3
access-list 115 permit ip 192.168.201.0 0.0.0.255 192.168.129.0
0.0.0.255

The VPN tunnle is up and running between 192.168.129.0/24 and
192.168.201.0/24. As you can see, port 25 from external IP address is
forwarded to host with ip address 192.168.201.253. When I do a telnet
192.168.201.253 25 from 192.168.120.0/24 network, it always times out.
I did a "show ip nat translations" in router A, and found out the
192.168.201.253 is translated to 61.x.x.204. It looks like NAt for
port forwarding happens before checking access list 102.

Any ideas to fix it?

Thank you very much.


Network Magic Graduation 20% off animated banner
Posted by Philip D'Ath on February 28, 2005, 9:07 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
You can't fix it. People from the remote office will need to specify
the head office external public IP for be able to forward port 25 traffic.

Weili wrote:
> Hi, I have such a home and office network:
>
> 192.168.201.0/24 --[ Cisco 837 Router A ]--Internet--
> [192.168.201.254 61.X.X.204]
>
> [ Cisco 831 Router B] ---- [ Firewall ] ---- 192.168.129.0/24
> [203.x.x.18 172.x.x.133] 172.x.x.134 192.168.129.1]
>
> Here are part of config file on router A:
>
> crypto map agentisvpn 10 ipsec-isakmp
> set peer 203.x.x.18
> set transform-set agentis
> match address 115
>
> interface Dialer1
> ip address negotiated
> ip access-group 112 in
> ip mtu 1492
> ip nat outside
>
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> no ip http server
> no ip http secure-server
> ip nat inside source list 102 interface Dialer1 overload
> ip nat inside source static tcp 192.168.201.253 110 interface Dialer1
> 110
> ip nat inside source static tcp 192.168.201.253 25 interface Dialer1
> 25
>
>
> access-list 102 deny ip 192.168.201.0 0.0.0.255 192.168.129.0
> 0.0.0.255
> access-list 102 deny ip 192.168.201.0 0.0.0.255 172.16.0.132 0.0.0.3
> access-list 102 permit ip 192.168.201.0 0.0.0.255 any
>
> access-list 115 permit ip 192.168.201.0 0.0.0.255 172.16.0.132 0.0.0.3
> access-list 115 permit ip 192.168.201.0 0.0.0.255 192.168.129.0
> 0.0.0.255
>
> The VPN tunnle is up and running between 192.168.129.0/24 and
> 192.168.201.0/24. As you can see, port 25 from external IP address is
> forwarded to host with ip address 192.168.201.253. When I do a telnet
> 192.168.201.253 25 from 192.168.120.0/24 network, it always times out.
> I did a "show ip nat translations" in router A, and found out the
> 192.168.201.253 is translated to 61.x.x.204. It looks like NAt for
> port forwarding happens before checking access list 102.
>
> Any ideas to fix it?
>
> Thank you very much.


Posted by Weili on February 28, 2005, 5:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I thought it is quite similar to this:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

But I could not make it work.

A workaround is put an IP alias to 192.168.201.254, and it worked from
the other side of the VPN.


Similar ThreadsPosted
Port forwarding with Cisco 837 January 4, 2005, 8:44 am
Port Forwarding with Cisco 871?? September 25, 2005, 9:58 am
cisco pix 515 port forwarding - NOT possible? hard to believe.. July 27, 2005, 12:23 am
Cisco 871 router port forwarding July 12, 2006, 8:41 pm
Cisco PIX 501 port forwarding trouble September 24, 2006, 10:32 am
port mapping or forwarding on Cisco Pix 506E August 5, 2005, 1:30 pm
Port forwarding from cisco 2600 to ASA-5510 July 20, 2006, 10:23 am
HELP With Cisco PIX 506E routing/port forwarding with SMTP????? July 23, 2004, 11:16 am
Cisco 2600 + DSL + Cable -> Failover and port forwarding July 2, 2008, 12:47 am
Port forwarding February 2, 2006, 3:05 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map