Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT/PAT over VPN

I have looked through the posts and thought I found my solution. Unfortunately, I am still no go. I am trying to connect to a Checkpoint VPN concentrator and my peer requires me to NAT my traffic to an external address. Here is my config (I hope you can follow my convention):

access-list 102 permit ip host x.x.x.x y.y.y.y 255.255.255.0

access-list 103 permit ip host x.x.x.x y.y.y.y 255.255.255.0

access-list 104 permit ip 192.168.200.0 255.255.255.0 y.y.y.y 255.255.255.0

ip address outside w.w.w.w 255.255.255.224

ip address inside 192.168.3.1 255.255.255.0

global (outside) 1 interface

global (outside) 2 x.x.x.x netmask 255.255.255.255

nat (inside) 2 access-list 104 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map mmlmap 30 ipsec-isakmp

crypto map mmlmap 30 match address 103

crypto map mmlmap 30 set peer y.y.y.y

crypto map mmlmap 30 set transform-set myset

crypto map mmlmap 30 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map mmlmap interface outside

isakmp enable outside

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp identity address

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 64800

1 REPLY
New Member

Re: NAT/PAT over VPN

I found the problem. My other VPN tunnel requires sysopt ipsec pl-compatible. Unfortunately, this tunnel won't work with that option. I assume there is no way to have both tunnels work.

109
Views
0
Helpful
1
Replies
CreatePlease login to create content