1. Home
  2. Cisco Systems
  3. No connectivity to published services while on VPN

No connectivity to published services while on VPN

Hello,

I am in the process of making a VPN config for use between two locations, but have run in to one problem i wonder about whether it's fixable.

On the Cisco 831 I use, I have made port forwardings for a number of services, among which are port 80, 443 (webmail), 25 (smtp) etc. All this works fine.

However, when you connect to the 831 using VPN, its not possible to get to the server I use for webmail/smtp etc because apparently the port forwarding rule somehow blocks this? When I remove port forwarding and try to connect while on the VPN, everything works, but then the external connection is of course down :-(

Is there any way to have the port forwarding, but also have the same servers reachable under the same port number while on the VPN?

Kind Regards,

Erwin Drager

Reply to
Erwin Drager
Loading thread data ...

In article , Erwin Drager wrote: :On the Cisco 831 I use, I have made port forwardings for a number of :services, among which are port 80, 443 (webmail), 25 (smtp) etc. All :this works fine.

:However, when you connect to the 831 using VPN, its not possible to :get to the server I use for webmail/smtp etc because apparently the :port forwarding rule somehow blocks this?

:Is there any way to have the port forwarding, but also have the same :servers reachable under the same port number while on the VPN?

I haven't worked with VPNs on IOS much at all, but this might perhaps provide a lead: On the PIX the way you would do this would be to add an 'nat exemption' access list that matched the VPN traffic:

access-list nonat permit ip SOURCENET SOURCEMASK DESTNET DESTMASK nat (inside) 0 access-list nonat

nat 0 access-list is, on the PIX, always processed before any other kind of nat or static. The result is that "raw" IPs and ports are used for the VPN, but not for anything that does not match the ACL.

Reply to
Walter Roberson

Hmm, thats sounds like what I want, only not sure I can do that on the

831. Will try that tomorrow :-)

Thanks!

Erwin

Reply to
Erwin Drager

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.