IPSEC tunnel with NAT and NetMeeting
I have established an IPSEC tunnel with two Cisco 2621 routers. Clients over the Internet are able to dial into the MCU server, which is behind one of the Cisco 2621 routers configured with NAT but the MCU is not able to call the client. The MCU is able to call any server or client on the LAN however it is not able to call anyone passed the router configured with NAT. Could anyone who has experience with NAT and IPSEC help me out?
Thanks,
The following doc should help...
http://www.cisco.com/warp/public/707/ipsecnat.html
Similar Messages
-
IPsec tunnel with two RV180W in LAN
Hi all,
I've to set up a couple of RV180W devices to connect several branch offices with IPsec tunnels with one back office.
Because I'm new to Cisco devices, my intention is to set up two RV180W devices in our LAN that way, that they establish an IPsec tunnel. Both of them have an IP address in the net 192.168.179.x and each RV180W has it's own IP net (192.168.10.x and 192.168.11.x). The idea is to have a PC in each of the networks of the RV180Ws and several outside to check by the PCs' visibility/connectivity whether the VPN is working or not. Later on I've to change the network addresses but I'll know that the IPsec settings are working.
I've used the 'Basic VPN Setup' on both devices to configure the tunnel, but it won't be established, its status remains on 'IPsec SA Not Established'.
Am I completely wrong with my approach? Or am I blind and oversee something essential within the configuration?
Here the configurations of both devices:
device 1:
device 2:
Thanks in advance for your ideas and help.
Best regards, LarsI'm trying to connect an RV180W to my RV082 and I get IPSec SA Not Established. I've checked my settings numerous times and they are the same on both routers (aside from different gateway ip and lan subnet)
-
Can a Cisco 881 router create an L2TP/IPsec tunnel via NAT to Windows 2008?
Hi
Was anyone successfull in setting up an L2TP/IPsec tunnel through NAT-T against a Windows 2008/ R2 RRAS server? I am using an 881 router and the layout is someting like this:
Client -> 881 -> NAT -> internet -> Windows 2008 RRAS
The tunnel goes form the 881 to the Windows server (not from the client...).
Thanks
RolandHi Federico
Thanks for your help! Much appreciated.
In my case this should be transparent to the client - I would like not to initiate the connection from the client.
Does that makes sense? I am considering L2TP because Windows 2008 R2 doesn't support IPSec tunnels through NAT (2008 R2 being the responder and the Cisco router the initiator of the IPSec connection).
Regards
Roland -
2800 w/ site-site tunnel using NAT and user tunnels
I am using a 2800 to terminate a site-site IPSec tunnel using a crypto map. It is also used to terminate several user tunnels.
Because of overlapping private address space there is a source NAT rule in place that overloads addresses prior to routing them across the site-site tunnel.
The problem is that the user tunnels are not able to communicate with any host located on the far end of the site-site tunnel. The site-site tunnel (and it's NAT) works just fine for users coming from any other interface on the 2800.
Does anyone have any ideas? I've gone ahead and attached the existing configuration for those that are brave or incredibly smart :) It is a fairly trashed config though, and I'm still trying to clean it up from where it was.
Thank you VERY much ahead of time,
SteveDuplicate posts. :P
Go here: http://supportforums.cisco.com/discussion/12152361/2nd-site-site-ipsec-tunnel-nat-traversal-setting-fail-establish-however-1st -
Help on establishing Ipsec tunnel btw 1941 and ASA
We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
My config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname XXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable XXXXX
enable password XXXXXX
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip domain name yourdomain.com
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4075439344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4075439344
revocation-check none
rsakeypair TP-self-signed-4075439344
crypto pki certificate chain TP-self-signed-4075439344
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
DD9950CB A40FC91B 4BCDE0DC 1B217A
quit
license udi pid CISCO1941/K9 sn FTX1539816K
license boot module c1900 technology-package securityk9
username XXXXXXXXXXXXXX
redundancy
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp profile mode
keyring default
self-identity address
match identity host XXX.XXX.XXX.XXX
initiate mode aggressive
crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
crypto map outside 60 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPNbrasil
set pfs group2
match address vpnbrazil
interface Tunnel0
ip unnumbered GigabitEthernet0/1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description WAN
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
no ip virtual-reassembly in
duplex full
speed 100
crypto map outside
interface GigabitEthernet0/1
description Intercon_LAN
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
ip access-list extended natvpnout
permit ip host XXX.XXX.XXX.XXX any
permit ip any any
ip access-list extended vpnbrazil
permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
permit ip any any
access-list 1 permit any
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 3 permit XXX.XXX.XXX.XXX
access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 23 permit any log
control-plane
b!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input all
telnet transparent
line vty 5
access-class 23 in
privilege level 15
login
transport input all
telnet transparent
line vty 6 15
access-class 23 in
access-class 23 out
privilege level 15
login local
transport input telnet ssh
transport output all
Could someone please help me on what could be wrong? and What tests should I do?
Rds,
Luiztry a simple configuration w/o isakmp proflies
have a look at this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml -
Guys was checking ASA config and we have many IPSEC tunnels
one of the IPSEC tunnel has follwoing
crypto map clientmap 40 set transform-set ESP-3DES-MD5 ESP-3DES-SHA
whats does the second means normally oter IPSEC has
crypto map clientmap 14 set transform-set ESP-3DES-MD5
what is a clientmap anyway will appriciate if someone plz explainHi,
The "crypto map" settings belong to the Phase II portion of your VPN tunnel (with some exceptions).
Here you usually define the following paratemers (most common):
1- Protected traffic, "match address" command.
2- Transform-set, integrity and authentication.
3- VPN peer.
So the transform-set "ESP-3DES-SHA" probably is "esp-3des esp-sha-hmac" which means:
ESP with the 3DES encryption algorithm.
ESP with the SHA (HMAC variant) authentication algorithm,
Now, you can have many valid combinations like "ESP-3DES-SHA" and "ESP-3DES-MD5", this would be useful in case you do not know which transform-set the other side of the tunnel has configured (there must be at least one perfect match).
Here is good link to set up L2L tunnels on ASAs:
Configuring LAN-to-LAN VPNs
Hope to help.
Portu.
Please rate any helpful posts -
hi Everyone,
I'm running a Cisco 3620 with two interfaces, a FE and an ADSL WIC, and I'm noticing some unexpected behaviour with NAT(ing) some UDP ports, here are the config rules in question:
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
when I receive traffic through those ports, I see the following in
show ip nat translations | include 14000
udp 64.7.136.227:1038 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1039 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1040 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1041 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1042 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1043 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1044 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:14000 192.168.100.26:14000 --- ---
How can I make this NAT static so that every host originates from port 14000 rather then a dynamic one that is being assigned now?
Any help is greatly appreaciated.
AleksPerhaps I wasn't clear enough in what I needed it to do, here's a show ip nat translations for another (working) NAT
(d) port on the same router:
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:54375 xxx.xxx.xxx.xxx:54375
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:50183 xxx.xxx.xxx.xxx:50183
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:50891 xxx.xxx.xxx.xxx:50891
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:60443 xxx.xxx.xxx.xxx:60443
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:2897 xxx.xxx.xxx.xxx:2897
tcp 64.7.136.227:6667 192.168.100.199:6667 xxx.xxx.xxx.xxx:51890 xxx.xxx.xxx.xxx:51890
Notice how the forwarded port is the same on the router interface (64.7.136.227:6667) accross all of the connections that have connected. Now this NAT rule behaves as it should, same syntax used as for the one I originally posted
ip nat inside source static tcp 192.168.100.199 6667 interface Dialer1 6667
the only difference is that this one gets properly assigned to the requested port, whereas these rules
ip nat inside source static udp 192.168.100.26 14000 interface Dialer1 14000
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14001
ip nat inside source static udp 192.168.100.26 14001 interface Dialer1 14002
have a dynamically assigned port on (64.7.136.227) interface, as the show ip nat translations shows:
udp 64.7.136.227:1038 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1039 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
udp 64.7.136.227:1040 192.168.100.26:14000 67.163.252.29:62564 67.163.252.29:62564
Basically how do I get the three rules to behave the same way as the one on top does...
Thank you,
Aleks -
When running on 8.4 i had a working config with the following scenario.
I have 2 interfaces configured as the outside interface.
One is connected to my internet connection
The other one is connected to a host that has a public ip.
The public host can access internet and also a PAT port on an internal host.
But after the upgrade the internal hosts can't access the external host but everything else on internet
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.89 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
If i add 1 to the destination ip:
packet-tracer input inside tcp 10.x.x.11 1024 x.x.x.90 22
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.0 255.255.240.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Dynamic translate 10.x.x.11/1024 to x.x.x.80/1024
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 98586, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Nat rules:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic any interface
The EXTERNAL is the host that is connected to an outside interface and that NAT rule works ok.
I can ping the EXTERNAL host from the ASA but not from the internal network.
Any ideas would be appreciated.Hmmm, by adding the following i got it working:
nat (inside,outside) source static IPv6_HOST interface service https https
nat (inside,outside) source static IPv6_HOST interface service http http
nat (inside,outside) source static IPv6_HOST interface service ssh ssh
nat (inside,outside) source static INTERNAL interface destination static EXTERNAL EXTERNAL service apcupsd apcupsd
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
nat (inside,outside) source dynamic inside interface destination static EXTERNAL EXTERNAL
nat (inside,outside) source dynamic any interface
It is a bit complicated though since the EXTERNAL host get it's address via DHCP and so does the ASA. -
Slow file browsing in MED-V / XP Mode with NAT and DFS
Note, for the purposes of this question, this issue is with the Windows Virtual PC / XP Mode integration portion of MED-V so is not MED-V specific.
We are in the process of deploying hundreds of MED-V instances to Windows 7 PCs to support legacy applications until they are replaced with versions that are compatible with Windows 7. Due to security concerns and our network infrastructure configuration,
we are required to use "Shared Networking (NAT)" mode for the Windows XP virtual machines. Our network drives are mapped to DFS shares. Depending on the site and drive mappings of a user, when opening or saving a file in an application,
it can take several minutes to browse to the target directory, even if it's not on a DFS share. Occasionally, it takes so long that the RemoteApp window hangs and disappears, even though the application is still running in the Windows XP VM.
Running network traces in the VM, I can see that Windows XP tries to "ping" all of the DFS targets whenever the network drives are enumerated, such as when clicking on My Computer. It waits for responses, then eventually times out.
From what I understand, this is the way that Windows XP determines which DFS target link is the fastest. Unfortunately, since vpc.exe does not run with admin rights in Windows 7, ICMP (ping sends ICMP ECHO REQUESTS) is blocked by the NAT
between the VM and the Windows 7 host. (This is why you cannot ping other PCs on the network from within the Windows XP VM when using NAT.) Therefore, the long wait times happen while XP waits for the replies that never come.
To verify that this is indeed the problem, I started vpc.exe with admin rights, then started the MED-V Workspace. I could ping other computers now from within XP and browsing took seconds instead of minutes. However, our users will not have admin
rights in Windows 7 so this is not an option for them. I also tested in bridged mode instead of Shared Networking mode with the same positive results. However, this is also not an option in our environment.
Any solutions or recommendations will be greatly appreciated.
Thank you in advance,
Victor S.
Victor S. - Sogeti USAHi,
I would do some research on this issue.
And I would update as soon as possible.
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support -
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
I am not an IT manager, but I am trying to set up an additional route through our router for RDP using NAT. I have successfully set up two other workstations doing this, but the third is not working. I set the first two up by forwarding the public IP address on a port to the internal IP address on the RDP port 3389. The two other workstations are set up this way and work great. The third is set up the same way, but I cannot get in from outside. I can RDP to the workstation from inside the local network. Our network has no it manager.Hello,
from what I can see in your non-working configuration, you are using the same address space on two different interfaces:
interface FastEthernet0/0
ip address 63.245.89.83 255.255.255.248
interface FastEthernet1/0
description connected to metrored
ip address 63.245.89.82 255.255.255.248
The router should actually generate an error message telling you that there is an overlapping address space once you try and 'no shut' the FastEthernet1/0 interface.
Regards,
GP -
Problems with NAT and xbox live
i could once connect to xbox live using my westell 6100g which i received as an upgrade from the regular 6100 about 5 days ago. It worked fine yesterday and today it decided to change my NAT from "Open" to "Moderate".
how can i access my NAT so i can fix this frustrating problem? or how can i fix this ? I tried microsofts solutions including port forwarding but nothing works. my guess is my only option is to change the NAT but the interface of westell 6100's page is barely user friendly, and im a tech savvy guy. any help ?Your other thread
http://www.dslreports.com/forum/remark,24291307
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
IChat AV with NAT and more than one Mac
I am a bit confused about firewall settings for iChat AV. I have a netgear FVS328 router. Obviously to have iChat working, I first open the firewall on my mac (Tiger) for the appropriate ports. Then I defined a service on the router and a rule to open those ports. It works... however, I have an issue.
In the router firewall setup I had to give an LAN IP Address to which packets for those specific iChat ports would be forwarded. Now, I understand this when a connexion is ignited from the Internet and (for example) you would want all HTTP trafic on port 80 to go to your web server. But here I have more than one mac behind my firewall. Moreover, they get there address by DHCP. I can't change the firewall setting each time I want to chat from a different computer!
I tried to have a look at port triggering, but it doens't seem to exist on the netgear. But even though, I would have to specify an IP address on my LAN.
Why is this needed since basically both iChat parties are already connected to .Mac so the connexion is made!
I am also wondering how they manage that kind of problem in Internet cafes where they certainly do not have a fixed Internet IP address for each PC or Mac available!It is not possible to port forward the same port number to more than one computer on any router that does NAT. It is impossible for the router to know which of the computers to send it to and sending it to both would confuse the software.
Think of it another way all post for a particular house is delivered by a postman. Once posted in the mailbox someone picks it up and ensures it reaches the correct person by the name written on the post. Now if you have 2 John Smiths in the same house nobody will know which one it is for. The same applies to the port numbers on the router. Some applications allow you to select a unique range of ports for each computer so you can organize a unique port for each computer but iChat doesn't. -
IPSec tunnel and policy NAT question
Hello All!
I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:
1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end
2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address
I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.
Here is the configuration
Remote end crypto interesting ACL:
ip access-list extended crypto-interesting-remote
permit ip host 192.168.1.10 host 10.0.0.10
My end configuration:
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN
ip access-list extended crypto-interesting-local
permit ip host 10.0.0.10 host 192.168.1.10
interface GigabitEthernet0/3
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
speed auto
ip nat inside source static 172.16.0.20 10.0.0.10 (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)
ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa
All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?
Any response highly appreciated!
Thanks!Figured that out.
The problem was in route
ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0
should be next-hop IP address instead of interface gigabitethernet0/0
Apparently packet arrives on the interface but does not pass it, when having route like this, becuase there is no one sitting with 192.168.168.10 ip address on the outside -
Ipsec together with outside NAT
Hi,
I have small office that is connected to the main office over a ipsec tunnel.
On the main office lan I have a server that only accept traffic from the main office inside lan.
Therefor I need to NAT incoming traffic from the ipsec tunnel with a new source address (a address from main office inside).
The ipsec tunnel is up and working.
How should the NAT look like?
I have tried with the "ip nat outside source "command, but it did not work completely (the traffic was NATed but when the response come the traffic was not sent back in to the tunnel.
Regards NiklasYou have to do NAT both ways and make sure that the config for ipsec tunnel is proper to allow the reply traffic to be sent via the tunnel. Following link may help you
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html -
IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501
I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.
Dear Mr.
The same problem has occured with me.
Maybe you are looking for
-
Lg Ally - slideshow text message - How to save??
Hello, I was sent a text message with pictures which became a slideshow. I cant save the slideshow to my pictures. No menu pops up, only a slide show count down. How do i save the slideshow into my pictures?
-
Outlook Integration inconsistencies
Dear Members, I have been testing the outlook integration functionality in Sap B1 2005 and Sap B1 2007 and the concept is very good because it enhances CRM for clients as well as integrated communication into the erp package. However, I have found so
-
Blackberry Link - accessing backed up contacts
I already backed up my BlackBerry before, how can I actually see all the contacts on my computer from the back up?
-
Total on Count Distinct does'nt display Sum
Hi I use Discoverer 9.0.2.39.01. In a crosstab layout, the datat point is a calculation item which perform Count_Distinct. I try to define a Grand Total (right and bottom) but I achieve no data. any advices? thanks
-
I am using Oracle BPEL Process Manager 2.1.2 also Oracle BPEL Designer PM Designer 2.2 is installed. When I lauch PM server I get the following error, how can i solve it ORABPEL-03002 error. Cannot lookup db schema version. The process domain was una