09-12-2005 01:10 PM - edited 02-21-2020 01:57 PM
Hello
my problem is not really the IPSec connection between the two devices (it's already running ...) But my problem is that I have a mail-server on the Cisco site, which have a static NAT from inside to outside. Because of the static NAT I can not see the server in the VPN tunnel. I found a document which describes almost the problem:
"Configuring a Router IPSEC Tunnel Private-to-Private Network with NAT and a Static" (Document ID 14144)
NAT takes place before the crypto check !
In that document the solution is "policy routing" by using a loopback interface. But, how can I manage that with the Netscreen firewall. Have anybody an idea ?
thanks for any support
best regards
heiko
Solved! Go to Solution.
09-13-2005 02:29 AM
Hi,
Try modifying your static NAT with a policy based static NAT.
i.e static NAT shouldn't be applicable for the VPN traffic
route-map static permit 1
match ip address 104
access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 permit ip host 10.1.110.10 any
ip nat inside source static 10.1.110.10 81.222.33.90 route-map static
HTH
Regards,
Shijo George.
09-12-2005 03:57 PM
create an acl
access-l 100 deny ip
access-l 100 permit ip
apply the acl above to route-map
route-map test permit 1
match ip address 100
09-12-2005 08:59 PM
hi, thank you for your answer
but I already made the entry in the acl "inside-outside" which I apply to the route-map test (see attachement)
09-12-2005 09:19 PM
wondering if 10.1.99.20 can access anything from 10.1.110.0/24 but not the .10 mail server, right?
09-12-2005 09:30 PM
yes, thats right
I only can reach the mail-server 10.1.110.10
over its static NAT address 81.222.33.90 not
through the VPN tunnel.
09-13-2005 02:29 AM
Hi,
Try modifying your static NAT with a policy based static NAT.
i.e static NAT shouldn't be applicable for the VPN traffic
route-map static permit 1
match ip address 104
access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0
access-list 104 permit ip host 10.1.110.10 any
ip nat inside source static 10.1.110.10 81.222.33.90 route-map static
HTH
Regards,
Shijo George.
09-14-2005 06:30 AM
Hi Shijo
thank you very much for your support.
Everything is working fine now.
Your post was very helpfull !
have a good time
best regards
Heiko
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide