Cisco 837 VPN, NAT and Port Forwarding

Discussion in 'Cisco' started by Weili, Feb 28, 2005.

  1. Weili

    Weili Guest

    Hi, I have such a home and office network:

    192.168.201.0/24 --[ Cisco 837 Router A ]--Internet--
    [192.168.201.254 61.X.X.204]

    [ Cisco 831 Router B] ---- [ Firewall ] ---- 192.168.129.0/24
    [203.x.x.18 172.x.x.133] 172.x.x.134 192.168.129.1]

    Here are part of config file on router A:

    crypto map agentisvpn 10 ipsec-isakmp
    set peer 203.x.x.18
    set transform-set agentis
    match address 115

    interface Dialer1
    ip address negotiated
    ip access-group 112 in
    ip mtu 1492
    ip nat outside

    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    no ip http secure-server
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.168.201.253 110 interface Dialer1
    110
    ip nat inside source static tcp 192.168.201.253 25 interface Dialer1
    25


    access-list 102 deny ip 192.168.201.0 0.0.0.255 192.168.129.0
    0.0.0.255
    access-list 102 deny ip 192.168.201.0 0.0.0.255 172.16.0.132 0.0.0.3
    access-list 102 permit ip 192.168.201.0 0.0.0.255 any

    access-list 115 permit ip 192.168.201.0 0.0.0.255 172.16.0.132 0.0.0.3
    access-list 115 permit ip 192.168.201.0 0.0.0.255 192.168.129.0
    0.0.0.255

    The VPN tunnle is up and running between 192.168.129.0/24 and
    192.168.201.0/24. As you can see, port 25 from external IP address is
    forwarded to host with ip address 192.168.201.253. When I do a telnet
    192.168.201.253 25 from 192.168.120.0/24 network, it always times out.
    I did a "show ip nat translations" in router A, and found out the
    192.168.201.253 is translated to 61.x.x.204. It looks like NAt for
    port forwarding happens before checking access list 102.

    Any ideas to fix it?

    Thank you very much.
     
    Weili, Feb 28, 2005
    #1
    1. Advertisements

  2. Weili

    Philip D'Ath Guest

    You can't fix it. People from the remote office will need to specify
    the head office external public IP for be able to forward port 25 traffic.
     
    Philip D'Ath, Feb 28, 2005
    #2
    1. Advertisements

  3. Weili

    Weili Guest

    Weili, Mar 1, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.