Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
5
Helpful
6
Replies

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and a static

Go to solution
heiko.bachofner
Level 1
Level 1

‎09-12-2005 01:10 PM - edited ‎02-21-2020 01:57 PM

Hello

my problem is not really the IPSec connection between the two devices (it's already running ...) But my problem is that I have a mail-server on the Cisco site, which have a static NAT from inside to outside. Because of the static NAT I can not see the server in the VPN tunnel. I found a document which describes almost the problem:

"Configuring a Router IPSEC Tunnel Private-to-Private Network with NAT and a Static" (Document ID 14144)

NAT takes place before the crypto check !

In that document the solution is "policy routing" by using a loopback interface. But, how can I manage that with the Netscreen firewall. Have anybody an idea ?

thanks for any support

best regards

heiko

Labels:
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
shijogeorge
Level 1
Level 1
In response to heiko.bachofner

‎09-13-2005 02:29 AM

Hi,

Try modifying your static NAT with a policy based static NAT.

i.e static NAT shouldn't be applicable for the VPN traffic

route-map static permit 1

match ip address 104

access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 permit ip host 10.1.110.10 any

ip nat inside source static 10.1.110.10 81.222.33.90 route-map static

HTH

Regards,

Shijo George.

View solution in original post

6 Replies 6

Go to solution
jackko
Level 7
Level 7

‎09-12-2005 03:57 PM

create an acl

access-l 100 deny ip

access-l 100 permit ip any

apply the acl above to route-map

route-map test permit 1

match ip address 100

0 Helpful

Go to solution
heiko.bachofner
Level 1
Level 1
In response to jackko

‎09-12-2005 08:59 PM

hi, thank you for your answer

but I already made the entry in the acl "inside-outside" which I apply to the route-map test (see attachement)

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to heiko.bachofner

‎09-12-2005 09:19 PM

wondering if 10.1.99.20 can access anything from 10.1.110.0/24 but not the .10 mail server, right?

0 Helpful

Go to solution
heiko.bachofner
Level 1
Level 1
In response to jackko

‎09-12-2005 09:30 PM

yes, thats right

I only can reach the mail-server 10.1.110.10

over its static NAT address 81.222.33.90 not

through the VPN tunnel.

0 Helpful

Go to solution
shijogeorge
Level 1
Level 1
In response to heiko.bachofner

‎09-13-2005 02:29 AM

Hi,

Try modifying your static NAT with a policy based static NAT.

i.e static NAT shouldn't be applicable for the VPN traffic

route-map static permit 1

match ip address 104

access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 permit ip host 10.1.110.10 any

ip nat inside source static 10.1.110.10 81.222.33.90 route-map static

HTH

Regards,

Shijo George.

Go to solution
heiko.bachofner
Level 1
Level 1
In response to shijogeorge

‎09-14-2005 06:30 AM

Hi Shijo

thank you very much for your support.

Everything is working fine now.

Your post was very helpfull !

have a good time

best regards

Heiko

0 Helpful
Customers Also Viewed These Support Documents