08-04-2009 01:14 PM - edited 03-04-2019 05:38 AM
Hi All.
I have been searching and trying to figure this out to no avail. I have an internet connected 1841 with a juniper firewall on the inside and ipsec vti's connecting from the router to another router across the internet. My requirement is to have remote soho vpn clients connect THROUGH the router to the Juniper firewall on the inside of the router. I only have one public IP to work with
HE router-----Inet-----1841---inside fw
|
|
remote vpn client
The tunnels I build are working fine. Everytim a client attempts a connection, the nat is never hit and the router attempts to negotiate with the client.
When I do debugs, I see the isakmp traffic on udp 500 but never gets nat'd. When I tried this in the lab I could only simulate a site-to-site vpn connection, and that seemed to work out fine.
What am I doing wrong?
TIA,
Alex
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 21600
crypto isakmp key test address 102.196.46.248
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 3
!
crypto ipsec security-association idle-time 300
!
crypto ipsec transform-set vpn-1 esp-aes esp-sha-hmac
!
crypto ipsec profile vpn-1
set transform-set vpn-1
!
!
interface Tunnel2
ip address 10.13.10.183 255.255.255.254
ip mtu 1380
ip tcp adjust-mss 1360
keepalive 10 5
tunnel source 85.112.244.59
tunnel destination 102.196.46.248
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn-1
!
interface FastEthernet0/0
description eth connection to internet speed 1000kb
ip address 85.112.244.59 255.255.255.192
ip access-group wan-in in
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
description connection to LAN
ip address 192.168.99.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip policy route-map policy
speed 100
full-duplex
!
!
ip route 0.0.0.0 0.0.0.0 85.112.244.1
ip route 10.12.99.0 255.255.255.248 192.168.99.2
ip route 10.99.0.0 255.255.0.0 192.168.99.2
ip route 102.196.46.248 255.255.255.255 85.112.244.1
!
ip nat inside source static tcp 192.168.99.2 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.99.2 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.99.2 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.99.2 7801 interface FastEthernet0/0 7801
ip nat inside source static tcp 192.168.99.2 7803 interface FastEthernet0/0 7803
ip nat inside source static tcp 192.168.99.2 7808 interface FastEthernet0/0 7808
ip nat inside source route-map tunnel interface FastEthernet0/0 overload reversible
ip access-list extended policy
permit tcp host 192.168.99.2 eq 22 any
permit tcp host 192.168.99.2 eq 443 any
permit tcp host 192.168.99.2 eq smtp any
permit tcp host 192.168.99.2 eq 7801 any
permit tcp host 192.168.99.2 eq 7803 any
permit tcp host 192.168.99.2 eq 7808 any
permit udp host 192.168.99.2 eq isakmp any
permit esp host 192.168.99.2 any
permit udp host 192.168.99.2 eq non500-isakmp any
permit gre host 192.168.99.2 any
ip access-list extended tunnel
deny udp host 192.168.99.2 eq isakmp host 102.196.46.248 eq isakmp
deny esp host 192.168.99.2 host 102.196.46.248
permit udp host 192.168.99.2 eq isakmp any eq isakmp
permit esp host 192.168.99.2 any
permit udp host 192.168.99.2 eq non500-isakmp any eq non500-isakmp
route-map policy permit 10
match ip address policy
set ip next-hop 85.112.244.1
!
route-map comp-tunnel permit 10
match ip address tunnel
!
08-04-2009 10:30 PM
hello,
your static ipsec do not affect what you are trying to achieve, but i think you do not want to nat the ipsec tunnel going through the router.
you would need define the static nat with route-map to say what peer you do not want to nat.
08-05-2009 04:20 AM
Hi
That's what I thought the acl+route map "tunnel" was doing. Do you think it is pointing in the right direction?
Thanks,
Alex
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: