Cisco 877 problema port forwarding VNC service

[franzall]

Ciao a tutti, come firewall per la mia rete ho un cisco 877 con configurato un connessione VPN site to site con un ASA 5100 e tutto funziona perfettamente.
Recentemente ho la necessita di "nattare" il servizio VNC su un pc della rete interna per assistenze remote.
Ho aggiunte le regole rispettivamente per ACL e il nat:

access-list 101 permit tcp any host 80.59.xx.xx eq 5900 dove 80.59.xx.xx è l'ip pubblico del mio 977;

ip nat inside source static tcp 192.168.0.230 5900 interface ATM0.1 5900, 192.168.0.230 è l'ip privato del pc con il servizio vnc attivo.

Purtroppo la regola non funziona cioè esternamente indirizzando l'ip pubblico non riesco a raggiungere il pc interno, inoltre dall'altra rete interna in tunnelling (10.x.x.x) non riesco più a raggiungere l'ip 192.168.0.230 (nemmeno con il ping) mentre cancellando la nuova regola di nat via vpn torna a funziona tutto.

Qualcuno ha qualche idea?

Grazie in anticipo.

Di seguito la conf intera:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9vlm$gqKylyjR1kz1MFLIBQFry.
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.119
ip dhcp excluded-address 192.168.0.161 192.168.0.254
!
ip dhcp pool Sp-dhcp
import all
network 192.168.0.0 255.255.255.0
dns-server 194.179.1.100 194.179.1.101
default-router 192.168.0.1
netbios-name-server 10.0.0.9
domain-name formplast.es
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name formplastgroup.es
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
crypto pki trustpoint TP-self-signed-1671104223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1671104223
revocation-check none
rsakeypair TP-self-signed-1671104223
!
!
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-1671104223
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363731 31303432 3233301E 170D3032 30333031 30303035
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373131
30343232 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F6BD BC4AFE37 0FF8DB64 7F56C319 6DAAD221 B1849AB9 1E473216 3C5244CF
60BF7157 BEBC881B 120D39BD 1FE43DAF BC42EE52 AE3F0A72 B9A92EE9 CBE4F604
4D1DFD6D 5E35004D AE5F812C 63FE01DA 14D5E41E 3C8599D8 470798EF 1AEA3C4C
A6AAE8B7 B28173BA 0ECE756C 4690CDA1 B21DE43A 0D8239C9 5A7DAAA5 C22A70B8
F73F0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82214349 53434F38 37372D53 5041474E 412E666F 726D706C
61737467 726F7570 2E657330 1F060355 1D230418 30168014 940238E9 98CF4ED2
5990BF5A 7DB3DE7D 02B68DBC 301D0603 551D0E04 16041494 0238E998 CF4ED259
90BF5A7D B3DE7D02 B68DBC30 0D06092A 864886F7 0D010104 05000381 8100432A
3EF6071F AF743FE2 CED7EC59 062C924E C82AA7A5 EE00E7CD 07A3D7C0 922363D9
F11CE7BF 2BE0F245 D8D8EA55 C456DAFA 808E2680 E52D360D AE5D0B5E 9857362E
2C6D3CA0 F8DA75D9 841BFBE3 31416CE3 5884C348 6348E363 FCE155A3 D221B7EC
617F2F81 AF6648D9 5306440B 115C44F0 232F7879 2BA563D1 1129D526 5A68
quit
username XXXX privilege 15 view root secret 5 $1$caB5$Gtq/l9gnKcOmKHUi/mzTw1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXX address XXXXXXXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXXXX
set peer XXXXXXX
set transform-set ESP-3DES-SHA
match address 102
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address XXXXXXXXX XXXXXXXXX
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
pvc 8/32
protocol ip XXXXXXXX broadcast
encapsulation aal5snap
!
crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXXXXXXXX
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.230 5900 interface ATM0.1 5900
ip nat inside source route-map SDM_RMAP_1 interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq telnet
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 22
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq www
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq 443
access-list 100 permit tcp 10.0.0.0 0.0.0.255 host 192.168.0.1 eq cmd
access-list 100 deny tcp any host 192.168.0.1 eq telnet
access-list 100 deny tcp any host 192.168.0.1 eq 22
access-list 100 deny tcp any host 192.168.0.1 eq www
access-list 100 deny tcp any host 192.168.0.1 eq 443
access-list 100 deny tcp any host 192.168.0.1 eq cmd
access-list 100 deny udp any host 192.168.0.1 eq snmp
access-list 100 deny ip xx.xx.xx.0 0.0.0.63 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any host 80.59.xx.xx eq 5900
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp
access-list 101 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp
access-list 101 permit esp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 101 permit ahp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp host xx.xx.xx.xx host xx.xx.xx.xx echo-reply
access-list 101 permit icmp host xx.xx.xx.xx host xx.xx.xx.xx time-exceeded
access-list 101 permit icmp host xx.xx.xx.xx host xx.xx.xx.xx unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 remark VTY Access-class list
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip 10.0.0.0 0.0.0.255 any
access-list 104 permit ip 192.168.0.0 0.0.0.255 any
access-list 104 deny ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 104 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Grazie ancora.

[Wizard]

Su PIX\ASA il nat0 ha priorità mentre su router no quindi ci vuole una bella policy map applicata alla regola di nat.

Esempio:

Codice: Seleziona tutto

ip nat inside source static tcp 192.168.0.100 3389 88.44.195.138 3389 route-map POL-NAT

access-list 107 remark *************************************************************
access-list 107 remark ACL PER POLICY-NAT VPN CLIENT
access-list 107 remark *************************************************************
access-list 107 deny   ip 192.168.0.0 0.0.0.255 192.168.0.200 0.0.0.7
access-list 107 permit ip any any

route-map POL-NAT permit 10
 match ip address 107

[franzall]

Grazie grazie per la precisazione!
Ultimamente ho lavorato con PIX/ASA e non mi ricordavo la questione della priorità del NAT0...ora funziona tutto.

Grazie ancora..

A presto

[Wizard]

Ne so troppo...