IPSEC tunnel with NAT and NetMeeting

I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,

The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html

Similar Messages

  • IPsec tunnel with two RV180W in LAN

    Hi all,
    I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
    Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
    I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
    Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
    Here the configurations of both devices:
    device 1:
    device 2:
    Thanks in advance for your ideas and help.
    Best regards, Lars

    I'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established.  I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)

  • Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?

    Hi
    Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
    Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
    The tunnel goes form the 881 to the Windows server (not from the client...).
    Thanks
    Roland

    Hi Federico
    Thanks for your help! Much appreciated.
    In my case this should be transparent to the client - I would like not to initiate the connection from the client.
    Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
    Regards
    Roland

  • 2800 w/ site-site tunnel using NAT and user tunnels

    I am using a 2800 to terminate a site-site IPSec tunnel using a crypto map. It is also used to terminate several user tunnels.
    Because of overlapping private address space there is a source NAT rule in place that overloads addresses prior to routing them across the site-site tunnel.
    The problem is that the user tunnels are not able to communicate with any host located on the far end of the site-site tunnel. The site-site tunnel (and it's NAT) works just fine for users coming from any other interface on the 2800.
    Does anyone have any ideas? I've gone ahead and attached the existing configuration for those that are brave or incredibly smart :) It is a fairly trashed config though, and I'm still trying to clean it up from where it was.
    Thank you VERY much ahead of time,
    Steve

    Duplicate posts.  :P
    Go here:  http://supportforums.cisco.com/discussion/12152361/2nd-site-site-ipsec-tunnel-nat-traversal-setting-fail-establish-however-1st

  • Help on establishing Ipsec tunnel btw 1941 and ASA

       We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
    My config:
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname XXXX
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable XXXXX
    enable password XXXXXX
    no aaa new-model
    no ipv6 cef
    ip source-route
    ip cef
    ip domain name yourdomain.com
    ip name-server XXX.XXX.XXX.XXX
    ip name-server XXX.XXX.XXX.XXX
    multilink bundle-name authenticated
    password encryption aes
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-4075439344
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4075439344
    revocation-check none
    rsakeypair TP-self-signed-4075439344
    crypto pki certificate chain TP-self-signed-4075439344
    certificate self-signed 01
      3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
      34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
      33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
      269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
      89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
      22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
      049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
      551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
      03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
      2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
      E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
      238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
      DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
      DD9950CB A40FC91B 4BCDE0DC 1B217A
            quit
    license udi pid CISCO1941/K9 sn FTX1539816K
    license boot module c1900 technology-package securityk9
    username XXXXXXXXXXXXXX
    redundancy
    crypto isakmp policy 60
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
    crypto isakmp profile mode
       keyring default
       self-identity address
       match identity host XXX.XXX.XXX.XXX
       initiate mode aggressive
    crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
    crypto map outside 60 ipsec-isakmp
    set peer XXX.XXX.XXX.XXX
    set transform-set VPNbrasil
    set pfs group2
    match address vpnbrazil
    interface Tunnel0
    ip unnumbered GigabitEthernet0/1
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    description WAN
    ip address XXX.XXX.XXX.XXX 255.255.255.248
    ip nat outside
    no ip virtual-reassembly in
    duplex full
    speed 100
    crypto map outside
    interface GigabitEthernet0/1
    description Intercon_LAN
    ip address XXX.XXX.XXX.XXX 255.255.255.252
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map outside
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 2 interface GigabitEthernet0/1 overload
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
    ip access-list extended natvpnout
    permit ip host XXX.XXX.XXX.XXX any
    permit ip any any
    ip access-list extended vpnbrazil
    permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
    permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
    permit ip any any
    access-list 1 permit any
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
    access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 3 permit XXX.XXX.XXX.XXX
    access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
    access-list 23 permit any log
    control-plane
    b!
    line con 0
    login local
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 23 in
    privilege level 15
    login local
    transport input all
    telnet transparent
    line vty 5
    access-class 23 in
    privilege level 15
    login
    transport input all
    telnet transparent
    line vty 6 15
    access-class 23 in
    access-class 23 out
    privilege level 15
    login local
    transport input telnet ssh
    transport output all
    Could someone please help me on what could be wrong? and What tests should I do?
    Rds,
    Luiz

    try a simple configuration w/o isakmp proflies
    have a look at this link:
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

  • IPSEC tunnel Phase 1 and 2

    Guys was checking ASA config and we have many IPSEC tunnels
    one of the IPSEC tunnel has follwoing
    crypto map clientmap 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
    whats does the second means normally oter IPSEC has
    crypto map clientmap 14 set transform-set ESP-3DES-MD5
    what is a clientmap anyway will appriciate if someone plz explain

    Hi,
    The "crypto map" settings belong to the Phase II portion of your VPN tunnel (with some exceptions).
    Here you usually define the following paratemers (most common):
    1- Protected traffic, "match address" command.
    2- Transform-set, integrity and authentication.
    3- VPN peer.
    So the transform-set "ESP-3DES-SHA" probably is "esp-3des esp-sha-hmac" which means:
    ESP with the 3DES encryption algorithm.
    ESP with the SHA (HMAC variant) authentication algorithm,
    Now, you can have many valid combinations like "ESP-3DES-SHA" and "ESP-3DES-MD5", this would be useful in case you do not know which transform-set the other side of the tunnel has configured (there must be at least one perfect match).
    Here is good link to set up L2L tunnels on ASAs:
    Configuring LAN-to-LAN VPNs
    Hope to help.
    Portu.
    Please rate any helpful posts

  • Problems with NAT and UDP

    hi Everyone,
    I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
    ip nat inside source static udp 192.168.100.26 14000 interface Dialer1  14000
    ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14001
    ip nat inside source static udp 192.168.100.26 14001 interface Dialer1  14002
    when I receive traffic through those ports, I see the following in
    show ip nat translations | include 14000
    udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
    udp 64.7.136.227:1039     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
    udp 64.7.136.227:1040      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
    udp  64.7.136.227:1041     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
    udp 64.7.136.227:1042     192.168.100.26:14000   67.163.252.29:62564   67.163.252.29:62564
    udp 64.7.136.227:1043      192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
    udp  64.7.136.227:1044     192.168.100.26:14000  67.163.252.29:62564    67.163.252.29:62564
    udp 64.7.136.227:14000    192.168.100.26:14000   ---                   ---
    How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
    Any help is greatly appreaciated.
    Aleks

    Perhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
    (d) port on the same router:
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50183  xxx.xxx.xxx.xxx:50183
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:50891  xxx.xxx.xxx.xxx:50891
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:60443   xxx.xxx.xxx.xxx:60443
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:2897     xxx.xxx.xxx.xxx:2897
    tcp 64.7.136.227:6667     192.168.100.199:6667  xxx.xxx.xxx.xxx:51890    xxx.xxx.xxx.xxx:51890
    Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
    ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
    the only difference is that this one gets properly assigned to the requested port, whereas these rules
    ip nat inside source static udp 192.168.100.26 14000 interface  Dialer1  14000
    ip nat inside source static udp 192.168.100.26  14001 interface Dialer1  14001
    ip nat inside source static udp  192.168.100.26 14001 interface Dialer1  14002
    have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
    udp 64.7.136.227:1038     192.168.100.26:14000  67.163.252.29:62564     67.163.252.29:62564
    udp 64.7.136.227:1039     192.168.100.26:14000    67.163.252.29:62564   67.163.252.29:62564
    udp 64.7.136.227:1040       192.168.100.26:14000  67.163.252.29:62564   67.163.252.29:62564
    Basically how do I get the three rules to behave the same way as the one on top does...
    Thank you,
    Aleks

  • ASA5505 Upgrade to 9.1.5 from 8.4.1 - problem with nat and accessing external host

    When running on 8.4 i had a working config with the following scenario.
    I have 2 interfaces configured as the outside interface.
    One is connected to my internet connection
    The other one is connected to a host that has a public ip.
    The public host can access internet and also a PAT port on an internal host.
    But after the upgrade the internal hosts can't access the external host but everything else on internet 
    packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
    Phase: 1
    Type: ACCESS-LIST
    Subtype: 
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   x.x.x.0    255.255.240.0   outside
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop  
    Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
    If i add 1 to the destination ip:
    packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   x.x.x.0    255.255.240.0   outside
    Phase: 2
    Type: ACCESS-LIST
    Subtype: log
    Result: ALLOW
    Config:
    access-group inside_access_in in interface inside
    access-list inside_access_in extended permit ip any4 any4 
    Additional Information:
    Phase: 3
    Type: NAT
    Subtype: 
    Result: ALLOW
    Config:
    nat (inside,outside) source dynamic any interface
    Additional Information:
    Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
    Phase: 4
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 5
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    nat (inside,outside) source dynamic any interface
    Additional Information:
    Phase: 7      
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 8
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 9
    Type: IP-OPTIONS
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 10
    Type: USER-STATISTICS
    Subtype: user-statistics
    Result: ALLOW 
    Config:
    Additional Information:
    Phase: 11
    Type: FLOW-CREATION
    Subtype: 
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 98586, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    Nat rules:
    nat (inside,outside) source static IPv6_HOST interface service https https
    nat (inside,outside) source static IPv6_HOST interface service http http
    nat (inside,outside) source static IPv6_HOST interface service ssh ssh
    nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
    nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
    nat (inside,outside) source dynamic any interface
    The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
    I can ping the EXTERNAL host from the ASA but not from the internal network.
    Any ideas would be appreciated.

    Hmmm, by adding the following i got it working:
    nat (inside,outside) source static IPv6_HOST interface service https https
    nat (inside,outside) source static IPv6_HOST interface service http http
    nat (inside,outside) source static IPv6_HOST interface service ssh ssh
    nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
    nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
    nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
    nat (inside,outside) source dynamic any interface
    It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA.

  • Slow file browsing in MED-V / XP Mode with NAT and DFS

    Note, for the purposes of this question, this issue is with the Windows Virtual PC / XP Mode integration portion of MED-V so is not MED-V specific.
    We are in the process of deploying hundreds of MED-V instances to Windows 7 PCs to support legacy applications until they are replaced with versions that are compatible with Windows 7.  Due to security concerns and our network infrastructure configuration,
    we are required to use "Shared Networking (NAT)" mode for the Windows XP virtual machines.  Our network drives are mapped to DFS shares.  Depending on the site and drive mappings of a user, when opening or saving a file in an application,
    it can take several minutes to browse to the target directory, even if it's not on a DFS share.  Occasionally, it takes so long that the RemoteApp window hangs and disappears, even though the application is still running in the Windows XP VM.
    Running network traces in the VM, I can see that Windows XP tries to "ping" all of the DFS targets whenever the network drives are enumerated, such as when clicking on My Computer.  It waits for responses, then eventually times out. 
    From what I understand, this is the way that Windows XP determines which DFS target link is the fastest.  Unfortunately, since vpc.exe does not run with admin rights in Windows 7, ICMP (ping sends ICMP ECHO REQUESTS) is blocked by the NAT
    between the VM and the Windows 7 host.  (This is why you cannot ping other PCs on the network from within the Windows XP VM when using NAT.)  Therefore, the long wait times happen while XP waits for the replies that never come.
    To verify that this is indeed the problem, I started vpc.exe with admin rights, then started the MED-V Workspace.  I could ping other computers now from within XP and browsing took seconds instead of minutes.  However, our users will not have admin
    rights in Windows 7 so this is not an option for them.  I also tested in bridged mode instead of Shared Networking mode with the same positive results.  However, this is also not an option in our environment.
    Any solutions or recommendations will be greatly appreciated.
    Thank you in advance,
    Victor S.
    Victor S. - Sogeti USA

    Hi,
    I would do some research on this issue.
    And I would update as soon as possible.
    If you have any feedback on our support, please click
    here
    Alex Zhao
    TechNet Community Support

  • Problem with NAT and RDP

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman";
    mso-ansi-language:#0400;
    mso-fareast-language:#0400;
    mso-bidi-language:#0400;}
    I am not an IT manager, but I am trying to set up an additional route through our router for RDP using NAT. I have successfully set up two other workstations doing this, but the third is not working. I set the first two up by forwarding the public IP address on a port to the internal IP address on the RDP port 3389. The two other workstations are set up this way and work great. The third is set up the same way, but I cannot get in from outside. I can RDP to the workstation from inside the local network. Our network has no it manager.

    Hello,
    from what I can see in your non-working configuration, you are using the same address space on two different interfaces:
    interface FastEthernet0/0
    ip address 63.245.89.83 255.255.255.248
    interface FastEthernet1/0
    description connected to metrored
    ip address 63.245.89.82 255.255.255.248
    The router should actually generate an error message telling you that there is an overlapping address space once you try and 'no shut' the FastEthernet1/0 interface.
    Regards,
    GP

  • Problems with NAT and xbox live

    i could once connect to xbox live using my westell 6100g which i received as an upgrade from the regular 6100 about 5 days ago. It worked fine yesterday and today it decided to change my NAT from "Open" to "Moderate".
    how can i access my NAT so i can fix this frustrating problem? or how can i fix this ? I tried microsofts solutions including port forwarding but nothing works. my guess is my only option is to change the NAT but the interface of westell 6100's page is barely user friendly, and im a tech savvy guy. any help ?

    Your other thread
    http://www.dslreports.com/forum/remark,24291307
    If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

  • IChat AV with NAT and more than one Mac

    I am a bit confused about firewall settings for iChat AV. I have a netgear FVS328 router. Obviously to have iChat working, I first open the firewall on my mac (Tiger) for the appropriate ports. Then I defined a service on the router and a rule to open those ports. It works... however, I have an issue.
    In the router firewall setup I had to give an LAN IP Address to which packets for those specific iChat ports would be forwarded. Now, I understand this when a connexion is ignited from the Internet and (for example) you would want all HTTP trafic on port 80 to go to your web server. But here I have more than one mac behind my firewall. Moreover, they get there address by DHCP. I can't change the firewall setting each time I want to chat from a different computer!
    I tried to have a look at port triggering, but it doens't seem to exist on the netgear. But even though, I would have to specify an IP address on my LAN.
    Why is this needed since basically both iChat parties are already connected to .Mac so the connexion is made!
    I am also wondering how they manage that kind of problem in Internet cafes where they certainly do not have a fixed Internet IP address for each PC or Mac available!

    It is not possible to port forward the same port number to more than one computer on any router that does NAT. It is impossible for the router to know which of the computers to send it to and sending it to both would confuse the software.
    Think of it another way all post for a particular house is delivered by a postman. Once posted in the mailbox someone picks it up and ensures it reaches the correct person by the name written on the post. Now if you have 2 John Smiths in the same house nobody will know which one it is for. The same applies to the port numbers on the router. Some applications allow you to select a unique range of ports for each computer so you can organize a unique port for each computer but iChat doesn't.

  • IPSec tunnel and policy NAT question

    Hello All!
    I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
    1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
    2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
    I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
    Here is the configuration
    Remote end  crypto interesting ACL:
    ip access-list extended crypto-interesting-remote
    permit ip host 192.168.1.10 host 10.0.0.10
    My end configuration:
    interface GigabitEthernet0/0
    ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map VPN
    ip access-list extended crypto-interesting-local
    permit ip host 10.0.0.10 host 192.168.1.10
    interface GigabitEthernet0/3
    ip address 172.16.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    speed auto
    ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
    ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
    All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
    Any response highly appreciated!
    Thanks!

    Figured that out.
    The problem was in route
    ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
    should be next-hop IP address instead of interface gigabitethernet0/0
    Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside

  • Ipsec together with outside NAT

    Hi,
    I have small office that is connected to the main office over a ipsec tunnel.
    On the main office lan I have a server that only accept traffic from the main office inside lan.
    Therefor I need to NAT incoming traffic from the ipsec tunnel with a new source address (a address from main office inside).
    The ipsec tunnel is up and working.
    How should the NAT look like?
    I have tried with the "ip nat outside source "command, but it did not work completely (the traffic was NATed but when the response come the traffic was not sent back in to the tunnel.
    Regards Niklas

    You have to do NAT both ways and make sure that the config for ipsec tunnel is proper to allow the reply traffic to be sent via the tunnel. Following link may help you
    http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html

  • IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

    I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

    Dear Mr.
    The same problem has occured with me.

Maybe you are looking for

  • Lg Ally - slideshow text message - How to save??

    Hello,   I was sent a text message with pictures which became a slideshow. I cant save the slideshow to my pictures. No menu pops up, only a slide show count down. How do i save the slideshow into my pictures?

  • Outlook Integration inconsistencies

    Dear Members, I have been testing the outlook integration functionality in Sap B1 2005 and Sap B1 2007 and the concept is very good because it enhances CRM for clients as well as integrated communication into the erp package. However, I have found so

  • Blackberry Link - accessing backed up contacts

    I already backed up my BlackBerry before, how can I actually see all the contacts on my computer from the back up?

  • Total on Count Distinct does'nt display Sum

    Hi I use Discoverer 9.0.2.39.01. In a crosstab layout, the datat point is a calculation item which perform Count_Distinct. I try to define a Grand Total (right and bottom) but I achieve no data. any advices? thanks

  • ORABPEL-03002

    I am using Oracle BPEL Process Manager 2.1.2 also Oracle BPEL Designer PM Designer 2.2 is installed. When I lauch PM server I get the following error, how can i solve it ORABPEL-03002 error. Cannot lookup db schema version. The process domain was una