Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and a static

Hello

my problem is not really the IPSec connection between the two devices (it's already running ...) But my problem is that I have a mail-server on the Cisco site, which have a static NAT from inside to outside. Because of the static NAT I can not see the server in the VPN tunnel. I found a document which describes almost the problem:

"Configuring a Router IPSEC Tunnel Private-to-Private Network with NAT and a Static" (Document ID 14144)

NAT takes place before the crypto check !

In that document the solution is "policy routing" by using a loopback interface. But, how can I manage that with the Netscreen firewall. Have anybody an idea ?

thanks for any support

best regards

heiko

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and

Hi,

Try modifying your static NAT with a policy based static NAT.

i.e static NAT shouldn't be applicable for the VPN traffic

route-map static permit 1

match ip address 104

access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 permit ip host 10.1.110.10 any

ip nat inside source static 10.1.110.10 81.222.33.90 route-map static

HTH

Regards,

Shijo George.

6 REPLIES
Gold

Re: IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and

create an acl

access-l 100 deny ip

access-l 100 permit ip any

apply the acl above to route-map

route-map test permit 1

match ip address 100

Community Member

Re: IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and

hi, thank you for your answer

but I already made the entry in the acl "inside-outside" which I apply to the route-map test (see attachement)

Gold

Re: IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and

wondering if 10.1.99.20 can access anything from 10.1.110.0/24 but not the .10 mail server, right?

Community Member

Re: IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and

yes, thats right

I only can reach the mail-server 10.1.110.10

over its static NAT address 81.222.33.90 not

through the VPN tunnel.

Bronze

Re: IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and

Hi,

Try modifying your static NAT with a policy based static NAT.

i.e static NAT shouldn't be applicable for the VPN traffic

route-map static permit 1

match ip address 104

access-list 104 deny ip host 10.1.110.10 10.1.0.0 255.255.0.0

access-list 104 permit ip host 10.1.110.10 any

ip nat inside source static 10.1.110.10 81.222.33.90 route-map static

HTH

Regards,

Shijo George.

Community Member

Re: IPSec Tunnel between Cisco 2801 and Netscren 50 with NAT and

Hi Shijo

thank you very much for your support.

Everything is working fine now.

Your post was very helpfull !

have a good time

best regards

Heiko

295
Views
5
Helpful
6
Replies
CreatePlease to create content