Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 2801 VPN connection to Netscreen Firewall

I have VPN connection from my place to Netscreen firewall at the client's end with the following setup - sent by Netscreen system administrator:

''My tunnel endpoint address:

Your tunnel endpoint address:

Your encryption domain (the addresses routed into that tunnel): Host (defined as host, NOT as /32 network)

My encryption domain (the addresses behind my tunnel endpoint):


Granted connectivity:


Destination: (translated to internal private address

Services: ICMP Echo request, TCP 22 (ssh), TCP 7114)


Because we use private addresses in the range 10/8 for internal use, and these addresses frequently are in conflict with the internally used network addresses of our partners, we usually offer an exclusive range of addresses, namely public addresses somewhere around 201.56.129.* as destination addresses at our end. These addresses are never used for other purpose than for NAT inside of VPN tunnels. In addition these addresses are also not overlapping with the networks, where the tunnel endpoint addresses itself reside.

For you that simply means, that your systems ALWAYS talk to 201.56.129.* addresses at my end. It is my responsibility to translate such addresses to the internal addresses of our systems behind.

On the other hand, whenever an internal system at your side talks to, you have to ensure, that the source address is replaced with, so that my system can properly route back the packets to my VPN firewall and into the proper VPN tunnel.

There is only one tricky point at your end: As the tunnel endpoint address is identical to the encrypted destination address, your device must properly handle this situation.


I have cisco 2801 at my side of VPN. From my router conf:


crypto map CRYPTO 20 ipsec-isakmp

set peer

set transform-set TELCOM

set pfs group2

match address 102


access list consist of only one command:


access-list 102 permit ip host 62.10068.171 (crypto map acl list)

Public address of my communication server is The system works OK, and I have no problem but one: I do not want to have public address available from the internet. So I have to nat my server public address:

ip nat inside source static

where is the server's private adddress. What was done is basically that It was included the above instruction in cisco setup. Certainly, I have deleted public address from the communication server and add its private address instread to its connection set up.

The problem is that my application program from my communication server does not work. My crypto map was not changed after my reading of nat order of operation.

My question is why my system does not work. Do I have to change anything at my crypto map?

CreatePlease to create content