×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and a static

Answered Question
Sep 12th, 2005
User Badges:

Hello

my problem is not really the IPSec connection between the two devices (it's already running ...) But my problem is that I have a mail-server on the Cisco site, which have a static NAT from inside to outside. Because of the static NAT I can not see the server in the VPN tunnel. I found a document which describes almost the problem:

"Configuring a Router IPSEC Tunnel Private-to-Private Network with NAT and a Static" (Document ID 14144)


NAT takes place before the crypto check !

In that document the solution is "policy routing" by using a loopback interface. But, how can I manage that with the Netscreen firewall. Have anybody an idea ?


thanks for any support

best regards

heiko



Correct Answer by shijogeorge about 11 years 11 months ago

Hi,

Try modifying your static NAT with a policy based static NAT.

i.e static NAT shouldn't be applicable for the VPN traffic


route-map static permit 1

match ip address 104


access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 permit ip host 10.1.110.10 any


ip nat inside source static 10.1.110.10 81.222.33.90 route-map static


HTH

Regards,

Shijo George.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jackko Mon, 09/12/2005 - 15:57
User Badges:
  • Gold, 750 points or more

create an acl

access-l 100 deny ip

access-l 100 permit ip any


apply the acl above to route-map

route-map test permit 1

match ip address 100




heiko.bachofner Mon, 09/12/2005 - 20:59
User Badges:

hi, thank you for your answer

but I already made the entry in the acl "inside-outside" which I apply to the route-map test (see attachement)

jackko Mon, 09/12/2005 - 21:19
User Badges:
  • Gold, 750 points or more

wondering if 10.1.99.20 can access anything from 10.1.110.0/24 but not the .10 mail server, right?

heiko.bachofner Mon, 09/12/2005 - 21:30
User Badges:

yes, thats right

I only can reach the mail-server 10.1.110.10

over its static NAT address 81.222.33.90 not

through the VPN tunnel.

Correct Answer
shijogeorge Tue, 09/13/2005 - 02:29
User Badges:
  • Bronze, 100 points or more

Hi,

Try modifying your static NAT with a policy based static NAT.

i.e static NAT shouldn't be applicable for the VPN traffic


route-map static permit 1

match ip address 104


access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 permit ip host 10.1.110.10 any


ip nat inside source static 10.1.110.10 81.222.33.90 route-map static


HTH

Regards,

Shijo George.


heiko.bachofner Wed, 09/14/2005 - 06:30
User Badges:

Hi Shijo


thank you very much for your support.

Everything is working fine now.

Your post was very helpfull !


have a good time

best regards

Heiko

Actions

This Discussion