NAT inside to outside reversible + vpn client - Help

alex-boucher · ‎08-04-2009

Hi All.

I have been searching and trying to figure this out to no avail. I have an internet connected 1841 with a juniper firewall on the inside and ipsec vti's connecting from the router to another router across the internet. My requirement is to have remote soho vpn clients connect THROUGH the router to the Juniper firewall on the inside of the router. I only have one public IP to work with

HE router-----Inet-----1841---inside fw

|

remote vpn client

The tunnels I build are working fine. Everytim a client attempts a connection, the nat is never hit and the router attempts to negotiate with the client.

When I do debugs, I see the isakmp traffic on udp 500 but never gets nat'd. When I tried this in the lab I could only simulate a site-to-site vpn connection, and that seemed to work out fine.

What am I doing wrong?

TIA,

Alex

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 21600

crypto isakmp key test address 102.196.46.248

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 30 3

!

crypto ipsec security-association idle-time 300

!

crypto ipsec transform-set vpn-1 esp-aes esp-sha-hmac

!

crypto ipsec profile vpn-1

set transform-set vpn-1

!

interface Tunnel2

ip address 10.13.10.183 255.255.255.254

ip mtu 1380

ip tcp adjust-mss 1360

keepalive 10 5

tunnel source 85.112.244.59

tunnel destination 102.196.46.248

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpn-1

!

interface FastEthernet0/0

description eth connection to internet speed 1000kb

ip address 85.112.244.59 255.255.255.192

ip access-group wan-in in

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

!

interface FastEthernet0/1

description connection to LAN

ip address 192.168.99.1 255.255.255.248

ip nat inside

ip virtual-reassembly

ip policy route-map policy

speed 100

full-duplex

!

ip route 0.0.0.0 0.0.0.0 85.112.244.1

ip route 10.12.99.0 255.255.255.248 192.168.99.2

ip route 10.99.0.0 255.255.0.0 192.168.99.2

ip route 102.196.46.248 255.255.255.255 85.112.244.1

!

ip nat inside source static tcp 192.168.99.2 22 interface FastEthernet0/0 22

ip nat inside source static tcp 192.168.99.2 443 interface FastEthernet0/0 443

ip nat inside source static tcp 192.168.99.2 25 interface FastEthernet0/0 25

ip nat inside source static tcp 192.168.99.2 7801 interface FastEthernet0/0 7801

ip nat inside source static tcp 192.168.99.2 7803 interface FastEthernet0/0 7803

ip nat inside source static tcp 192.168.99.2 7808 interface FastEthernet0/0 7808

ip nat inside source route-map tunnel interface FastEthernet0/0 overload reversible

ip access-list extended policy

permit tcp host 192.168.99.2 eq 22 any

permit tcp host 192.168.99.2 eq 443 any

permit tcp host 192.168.99.2 eq smtp any

permit tcp host 192.168.99.2 eq 7801 any

permit tcp host 192.168.99.2 eq 7803 any

permit tcp host 192.168.99.2 eq 7808 any

permit udp host 192.168.99.2 eq isakmp any

permit esp host 192.168.99.2 any

permit udp host 192.168.99.2 eq non500-isakmp any

permit gre host 192.168.99.2 any

ip access-list extended tunnel

deny udp host 192.168.99.2 eq isakmp host 102.196.46.248 eq isakmp

deny esp host 192.168.99.2 host 102.196.46.248

permit udp host 192.168.99.2 eq isakmp any eq isakmp

permit esp host 192.168.99.2 any

permit udp host 192.168.99.2 eq non500-isakmp any eq non500-isakmp

route-map policy permit 10

match ip address policy

set ip next-hop 85.112.244.1

!

route-map comp-tunnel permit 10

match ip address tunnel

!

chinkevi_2 · ‎08-04-2009

hello,

your static ipsec do not affect what you are trying to achieve, but i think you do not want to nat the ipsec tunnel going through the router.

you would need define the static nat with route-map to say what peer you do not want to nat.

alex-boucher · ‎08-05-2009

Hi

That's what I thought the acl+route map "tunnel" was doing. Do you think it is pointing in the right direction?

Thanks,

Alex