Cisco 831 static NAT

[LangleyS]

Hi All,

I have just been tasked with connecting our small branch office to our main office via a VPN. We have a Cisco 831 router at each end. The maon office has a leasd line and the branch office has a cable broadband connection.

I have set both routers up and got a VPN tunnel working fine. I can ping all the machines at the branch office and the branch office can ping all the machines at the main office.

At the branch office, they have a device that needs to be accessed externally from the internet on port 7000.

I have set a static NAT up on the branch office router but it cannot be accessed from the internet. I can access it across the VPN but not externally if I try from home or somewhere like that.

This was all done using SDM.

Any help would be much appreciated as I am going up the wall trying to resolve this.

In summary, the device on port 7000 can be accessed over the VPN from the main office over the Easy VPN Tunnel. It can be accessed by any interna; machine but cannot be accessed from anywhere on the internet using the router ethernet1 address with port 7000.

The Branch Office Config is :-

Current configuration : 2476 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Branch
!
enable password *********
!
username ********* privilege 15 password 0 ********
no aaa new-model
ip subnet-zero
no ip domain lookup
ip domain name sme.int
ip name-server **.**.**.**
ip name-server **.**.**.**
ip dhcp excluded-address 172.16.25.254
ip dhcp excluded-address 172.16.25.25
ip dhcp excluded-address 172.16.25.253
!
ip dhcp pool CLIENT
import all
network 172.16.25.0 255.255.255.0
default-router 172.16.25.254
netbios-name-server 10.110.131.1 10.110.131.2
dns-server **.**.**.** **.**.**.**
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
crypto ipsec client ezvpn Smartest
connect auto
group ***** key 0 *******
mode network-extension
peer **.**.**.**
!
class-map match-any test_class_map_for_sdm
match dscp default
match protocol ip
!
interface Ethernet0
description connected to BRANCH
ip address 172.16.25.254 255.255.255.0
no cdp enable
crypto ipsec client ezvpn Smartest inside
!
interface Ethernet1
description connected to INTERNET
ip address dhcp
duplex auto
no cdp enable
crypto ipsec client ezvpn Smartest
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip nat inside source static udp 172.16.25.25 7000 interface Ethernet1 7000
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 10.110.131.0 255.255.255.0 Ethernet1
ip route 192.168.252.0 255.255.255.0 Ethernet1
ip route 194.129.160.0 255.255.255.0 Ethernet1
ip route 194.129.161.102 255.255.255.255 Ethernet1
ip http server
ip http authentication local
ip http secure-server
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.25.0 0.0.0.255
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
privilege level 15
password *****
login local
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
!
end

 

[Minue]

Hello
I could be wrong!But you can try the ip nat inside and outside command.I think this also needed for static NAT.You may also need a "route map" to go around the VPN to the server.It's strange that the SDM didn't get it all right.Normally it's pretty good.
I have just begin studying the VPN,so I am not very good.Just a few hints!Till the experts arrive.
Good luck

 

[kbing]

It appears that your static NAT is mapped to your Ethernet1 interface which is the same interface that your Internet connection is. I'm assuming that this device you want to access is on the LAN - not your Ethernet1 on your router.

Here's an example:

ip nat inside source static tcp <inside server> 80 <outside interface> 80 extendable

** the above makes a 1-1 NAT from my outside interface IP to my internal LAN server that is serving HTTP on port 80.**

We are also using route-map's for the NAT to such as:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

**FastEthernet4 is my Internet port on the router.

Here's the route-map

route-map SDM_RMAP_1 permit 1
match ip address 103


Here's the ACL for the route-map:

access-list 103 permit ip x.x.x.0 0.0.0.255 any

Where x.x.x.0 is the subnet; where 0.0.0.255 is the wildcard netmask.**This allows LAN users to access the internet while the above static allows Internet users to access the web server on the internal LAN.

 

[LangleyS]

The structure of the network is as follows.

The branch router connects to the internet via Ethernet1. The local LAN connects via Ethernet0 and has a subnet of 172.16.25.0/24.

The branch router creates an IPSEC tunnel via Ethernet1 to our HQ router.

The device sits on the branch local LAN and has a local IP address of 172.16.25.25 and listens on port 7000.

We need to be able to access this device from the HQ using the IP address 172.16.25.25 but remote users over the internet need to access it by using the public IP address of the branch router ( on port 7000 ). The Ethernet1 interface is connected to a cable network and gets its address via DHCP from the cable company. The IP address is static though.

I have noticed on my 831 that after the upgrade of IOS there is now an Ethernet2 as well. I can't work out what this is used for as there is no Ethernet2 port labeled on the back of the router.