1 Reply Latest reply on Jan 15, 2015 9:37 AM by noor

    Port forward traffic from internet over vpn tunnel

    dtown New Member

      I have an existing ipsec vpn tunnel setup between two sites using Netvanta 3458 routers. How  can I port forward traffic from one site to the other over the vpn tunnel?

      Site A      ext IP: 1.2.3.4, int IP: 192.168.1.1

      Site B:     ext IP: 2.3.4.5, int IP: 192.168.2.1

      Site B server:     192.168.2.2

       

      Traffic flows without problems between 192.168.1.0 and 192.168.2.0 subnets and I can forward the traffic entering on Site A's external IP to any server in Site A without problems.

       

      But I would like to forward all traffic on port 443 coming in on Site A's external IP (1.2.3.4) over the vpn tunnel to the site B server (192.168.2.2), I've tried creating a policy on Site A's router to forward port 443 directly to the Site B server at 192.168.2.2. I've tried creating a policy on Site A's router to forward port 443 to the Site B router's internal IP (192.168.2.1) and then setting a policy on Site B's router to forward all traffic to the Site B server. Neither of those worked.

       

      Any help would be appreciated.

        • Re: Port forward traffic from internet over vpn tunnel
          Employee

          Suki,

           

          Thanks for posting your question on the forum!

           

          First, you will need to modify the VPN selectors to reflect traffic that will be sourced from the internet on port 443 and destined for the site B server (192.168.2.2). This will allow this traffic to traverse the VPN tunnel.

           

          Site A:

          permit tcp any host 192.168.2.2 eq 443

          Site B:

          permit tcp host 192.168.2.2 eq 443 any

           

          On Site A, you will then need to modify the access-policy assigned to the WAN interface so that the port-forward can take place:

           

          ip access-list ext PortFwd

              permit tcp any host 1.2.3.4 eq 443

           

          ip policy-class WAN

              nat destination list PortFwd address 192.168.2.2

           

          I have not seen your configuration, but you will want to be careful about the order of the rules on the WAN policy-class to be sure that is not ignored due to a rule listed above it.

           

          Please do not hesitate to let us know if you have any questions.

           

          Thanks,

          Noor