Cisco router Site to Site VPN tunnel with port forwarding and NAT

On April 1, 2011, in Cisco, by admin

Below is the config I got working. Its just a partial config because it was also running Cisco Callmanager Express. We had a web server and exchange server that needed ports forwarded from the internet and also be able to be accessed on the remote VPN side. Internet traffic was port forwarded and VPN traffic connected to its local internal IP.

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.2 25 74.7.221.154 25 route-map nonat extendable
ip nat inside source static tcp 192.168.1.2 443 74.7.221.154 443 route-map nonat extendable
ip nat inside source static tcp 192.168.1.2 1328 74.7.221.154 1328 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 22 74.7.221.155 22 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 25 74.7.221.155 25 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 53 74.7.221.155 53 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 80 74.7.221.155 80 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 110 74.7.221.155 110 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 143 74.7.221.155 143 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 443 74.7.221.155 443 route-map nonat extendable
ip nat inside source static tcp 192.168.1.3 10000 74.7.221.155 10000 route-map nonat extendable
ip nat inside source static 192.168.1.7 74.7.221.157 route-map nonat
ip route 0.0.0.0 0.0.0.0 74.7.221.153
!
logging esm config
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=16
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 deny   ip host 192.168.1.2 192.168.2.0 0.0.0.255
access-list 150 permit ip host 192.168.1.2 any
access-list 150 deny   ip host 192.168.1.3 192.168.2.0 0.0.0.255
access-list 150 permit ip host 192.168.1.3 any
access-list 150 deny   ip host 192.168.1.7 192.168.2.0 0.0.0.255
access-list 150 permit ip host 192.168.1.7 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
route-map nonat permit 10
 match ip address 150
!

 
If you enjoyed this article, please consider sharing it!
Facebook Twitter Digg

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.



Go To Top »