L2L VPN Using PAT

Unanswered Question
Jun 3rd, 2010

I am trying to PAT my internal network to an external IP over an ipsec tunnel and can't quite find the solution - here is the config I am trying:

***********************************
PHASE 1
***********************************

isakmp policy 15

  authentication pre-share

  encryption AES-256

  hash sha

  group 5

  lifetime 86400

***********************************
PHASE 2
***********************************

crypto ipsec transform-set ABC esp-aes-256 esp-sha-hmac

crypto map outside_map 15 match address ABC

crypto map outside_map 15 set peer 10.1.1.1

crypto map outside_map 15 set transform-set ABC

crypto map outside_map 15 set pfs group5


tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

  pre-shared-key xxxxxxx

***********************************
Access List
***********************************

access-list ABC remark L-2-L VPN to ABC

access-list ABC extended permit ip 10.5.5.5 255.255.255.255 10.2.2.2 255.255.255.255

***********************************
PAT
***********************************

global (outside) 15 10.5.5.5 access-list ABC
nat (inside) 15 10.6.0.0 255.255.0.0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 06/03/2010 - 09:12

Hi,

Since you're going to PAT the interesting traffic before sending it through the tunnel, the tunnel can only be initiated from your side.

Check if the traffic from the internal network is being PATed with the command ''sh xlate local 10.6.0.x''  --> computer where traffic is initiated.

If you see the translation built, then check if the tunnel is trying to establish with the commands ''sh cry isa sa'' and ''sh cry ips sa''

With this we should be able to see where the problem is.

Federico.

m.kafka Fri, 06/04/2010 - 02:07

Hi occonorm,

the example you gave doesn't really illustrate in detail what you want.

I can only assume from the access-list ABC, that the IPsec local-ident is 10.5.5.5/32 (the patted internal hosts) and the remote-ident is 10.2.2.2/32.

In that case it would be simple:

An access list describes the traffic to be patted, that access list is used with a nat (inside) and the matching global (outside) has the VPN-pat address.

access-list XYZ permit ip 10.6.0.0/16 10.2.2.2/32

nat (inside) 15 access-list XYZ

global (outside) 10.5.5.5

the crypto mat is using a match address for 10.5.5.5/32 and 10.2.2.2/32

hope that helps, if you cant find the solution please post more details, a little network sketch etc...

rgds, MiKa

Actions

This Discussion