Cisco 2801 VPN connection to Netscreen Firewall

Unanswered Question
Jun 4th, 2009
User Badges:

I have VPN connection from my place to Netscreen firewall at the client's end with the following setup - sent by Netscreen system administrator:


''My tunnel endpoint address: 201.56.128.73

Your tunnel endpoint address: 62.100.68.170

Your encryption domain (the addresses routed into that tunnel): Host 62.100.68.171 (defined as host, NOT as /32 network)

My encryption domain (the addresses behind my tunnel endpoint): 201.56.129.192/27

...

Granted connectivity:

Source: 62.100.68.171

Destination: 201.56.129.239 (translated to internal private address 10.236.90.131)

Services: ICMP Echo request, TCP 22 (ssh), TCP 7114)

...


Because we use private addresses in the range 10/8 for internal use, and these addresses frequently are in conflict with the internally used network addresses of our partners, we usually offer an exclusive range of addresses, namely public addresses somewhere around 201.56.129.* as destination addresses at our end. These addresses are never used for other purpose than for NAT inside of VPN tunnels. In addition these addresses are also not overlapping with the networks, where the tunnel endpoint addresses itself reside.

For you that simply means, that your systems ALWAYS talk to 201.56.129.* addresses at my end. It is my responsibility to translate such addresses to the internal addresses of our systems behind.



On the other hand, whenever an internal system at your side talks to 201.56.129.239, you have to ensure, that the source address is replaced with 62.100.68.171, so that my system can properly route back the packets to my VPN firewall and into the proper VPN tunnel.

There is only one tricky point at your end: As the tunnel endpoint address is identical to the encrypted destination address, your device must properly handle this situation.


''


I have cisco 2801 at my side of VPN. From my router conf:

...

crypto map CRYPTO 20 ipsec-isakmp

set peer 201.56.128.73

set transform-set TELCOM

set pfs group2

match address 102

...

access list consist of only one command:

...

access-list 102 permit ip host 62.10068.171 201.56.129.192 0.0.0.63 (crypto map acl list)


Public address of my communication server is 62.100.68.171. The system works OK, and I have no problem but one: I do not want to have public address available from the internet. So I have to nat my server public address:


ip nat inside source static 192.168.100.24 62.100.68.171


where 192.168.100.24 is the server's private adddress. What was done is basically that It was included the above instruction in cisco setup. Certainly, I have deleted public address from the communication server and add its private address instread to its connection set up.


The problem is that my application program from my communication server does not work. My crypto map was not changed after my reading of nat order of operation.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


My question is why my system does not work. Do I have to change anything at my crypto map?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion