I have a Cisco router that we have people VPN into. Everything works great until they try to connect to a port that is statically mapped to the outside for example I have a mail host that is accessible to the outside world on port 25. To achieve this I have the following in my config.
ip nat inside source static tcp 192.168.x.x 25 interface myinterface 25
when I am connected to the vpn I can ping the host 192.168.x.x but I can't connect to port 25. people inside the network can connect to the port and it is available to the internet at the interface address.What am I missing? Thanks in advance for the help
Never done exactly what you want. But I think it might be that you would just make a static nat entry using a route map. And then in the route map, have match ACL_NUMBER. Then in that ACL, don't permit the VPN traffic.
This Cisco post might help you.
I suspect that the NAT is taking precedence over the VPN. When you ping the 192.168.x.x through the VPN, the return traffic hits the firewall and sends it through the VPN. When you try and use port 25, I expect that the return traffic hits the firewall and is NAT'ed instead of going through the firewall.
I don't know the ins and outs of IOS, but you should be able to change the precedence and have the VPN operate "above" NAT. There may also be setting on the VPN config telling it to ignore NAT in the VPNs.