Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
0
Helpful
2
Replies

L2L VPN Using PAT

oconnorm
Level 1
Level 1

‎06-03-2010 09:02 AM

I am trying to PAT my internal network to an external IP over an ipsec tunnel and can't quite find the solution - here is the config I am trying:

***********************************
PHASE 1
***********************************

isakmp policy 15

  authentication pre-share

  encryption AES-256

  hash sha

  group 5

  lifetime 86400

***********************************
PHASE 2
***********************************

crypto ipsec transform-set ABC esp-aes-256 esp-sha-hmac

crypto map outside_map 15 match address ABC

crypto map outside_map 15 set peer 10.1.1.1

crypto map outside_map 15 set transform-set ABC

crypto map outside_map 15 set pfs group5


tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

  pre-shared-key xxxxxxx

***********************************
Access List
***********************************

access-list ABC remark L-2-L VPN to ABC

access-list ABC extended permit ip 10.5.5.5 255.255.255.255 10.2.2.2 255.255.255.255

***********************************
PAT
***********************************

global (outside) 15 10.5.5.5 access-list ABC
nat (inside) 15 10.6.0.0 255.255.0.0

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-03-2010 09:12 AM

Hi,

Since you're going to PAT the interesting traffic before sending it through the tunnel, the tunnel can only be initiated from your side.

Check if the traffic from the internal network is being PATed with the command ''sh xlate local 10.6.0.x''  --> computer where traffic is initiated.

If you see the translation built, then check if the tunnel is trying to establish with the commands ''sh cry isa sa'' and ''sh cry ips sa''

With this we should be able to see where the problem is.

Federico.

0 Helpful

m.kafka
Level 4
Level 4

‎06-04-2010 02:07 AM

Hi occonorm,

the example you gave doesn't really illustrate in detail what you want.

I can only assume from the access-list ABC, that the IPsec local-ident is 10.5.5.5/32 (the patted internal hosts) and the remote-ident is 10.2.2.2/32.

In that case it would be simple:

An access list describes the traffic to be patted, that access list is used with a nat (inside) and the matching global (outside) has the VPN-pat address.

access-list XYZ permit ip 10.6.0.0/16 10.2.2.2/32

nat (inside) 15 access-list XYZ

global (outside) 10.5.5.5

the crypto mat is using a match address for 10.5.5.5/32 and 10.2.2.2/32

hope that helps, if you cant find the solution please post more details, a little network sketch etc...

rgds, MiKa

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents