Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem portforwarding to Mailserver on 837 with VPN clients

Status
Not open for further replies.
chicocouk

chicocouk

MIS
Aug 19, 2002
331
GB
Got a configuration problem on a cisco 837 adsl router. I can set it up to forward smtp traffic to an internal mailserver, using the following commands;

(where a.b.c.d is the outside wan ip on the Dialer, 10.1.92.2 is the mailserver's local address)

access-list 111 permit tcp any host a.b.c.d eq smtp
interface Dialer1
ip access-group 111 in
ip nat inside source static tcp 10.1.92.2 25 a.b.c.d 25 extendable

This works fine for traffic that originates from the WAN. However, I also have a site to site vpn, and remote user vpns, and although all other traffic down the vpns work fine (pings, shares etc), smtp traffic doesn't work. I suspect it is being statically translated by the static rule to the outside address of the router.

So the question is, how do i configure the router to statically translate the traffic if it originated from the internet, but not translate it if it came from either of my vpns?

For information, the site to site vpn traffic, the remote end's local range is 10.0.0.0/16 and the remote access users vpn in and get assigned an address on a 172.16.1.0/24 range.

Any help very much appreciated

Thanks!
 
Sort by date Sort by votes
Does this mean no'one knows how to do this?

;)

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
It may be worth posting parts of the config so we can see how you have it currently configured.

Andy
 
Upvote 0 Downvote
You can't nat outside traffic and VPN traffic on the same interface.

For example if you're natting traffic for smtp on a external interface to 192.168.2.100 You can't have the VPN tunnel access that accesses 192.168.2.100:25 from the tunnel. You need to create a another interface on the smtp server for internal/VPN Users to use. Sort of like a DMZ/ only you can use the same NIC.
 
Upvote 0 Downvote
D'you mean you'd need to give the smtp server a second ip address? Rather than changing something in the config in the router? Or have i misunderstood?

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
Did you ever get a response to this query? I have the same issue. But my VPN clients experience very slow connectivity to the other ports. can you post a "show version"? what IOS are you using?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
361
CPM86
CPM86
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
225
badwolf1686
B
DavidSigma
  • Locked
  • Question
CP7861 problem
Replies
0
Views
340
DavidSigma
DavidSigma
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
306
testman1
testman1
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
408
Luzbel
Luzbel

Part and Inventory Search

Sponsor

Back
Top