Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT traffic over a IPSec tunnel (ISR)

Hi.

I's suppose to setup i IPSec tunnel between an 1811 and some sort of CheckPoint firewall. The IPSec part isen't that big of a deal, but the system manager on the "CheckPoint side" want the traffic though the tunnel should originate from a public IP-address, and only one source IP-address.

So, Let say that my ISP have given me 10.10.1.1 - 10.10.1.5, our inside clients have an IP-address from the range 192.168.10.0/24, and the remote application in the "Checkpoint site" has the IP-address 172.16.1.10. The result of this should be:

IPSec tunnel is created using the 10.10.1.1 IP-address.

The traffic from the 192.168.1.0/24 clients should access the application at 172.16.1.10 using 10.10.1.2 as source address OVER the IPSec tunnel.

Is this possible? I guess that it would mean that I have to NAT the traffic going though the IPSec tunnel, but I'm having trouble getting this to work. I have googled all day long looking for something similar.

Anyone who could shed some light? Any insight appreciated.

                 

Sheers!

/Johan Christensson

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

NAT traffic over a IPSec tunnel (ISR)

Yes, this is possible.  This should get you what you need.  Let us know if it works or not.

ip access-list extended policy-NAT

permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10

ip nat pool LAN-Checkpoint 10.10.1.2 10.10.1.2 netmask 255.255.255.0

ip nat inside source list policy-NAT pool LAN-Checkpoint overload

2 REPLIES

NAT traffic over a IPSec tunnel (ISR)

Yes, this is possible.  This should get you what you need.  Let us know if it works or not.

ip access-list extended policy-NAT

permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10

ip nat pool LAN-Checkpoint 10.10.1.2 10.10.1.2 netmask 255.255.255.0

ip nat inside source list policy-NAT pool LAN-Checkpoint overload

Community Member

Thanks jjohnston1127!Well, i

Thanks jjohnston1127!

Well, i guess that it would work, and I wasen't that far off, but got stuck in the "ip nat inside" rule when I where to specify either a pool och an interface. It diden't accur to me that a pool chould just consist of 1 IP-address.

How ever, this raised a new problem. The "match address" access-list that I use in the crypto map for the IPSec configuration currently looks something like this:
access-list 150 permit ip host 10.10.1.2 host 172.16.1.10

If i change it to something like this, the tunnel negotiation get triggerd.
access-list 150 permit ip 192.168.1.0 0.0.0.255 host 172.16.1.10

How ever i assume that the negotiation failes because the tunnel configuration in my router has a different "local network" than the "remote network" at the Checkpoint site.

Is this because that the NAT'ing dosen't get processed before the IPSec configuration?

Can this behavior be changed?

Best regards,
Johan Christensson

720
Views
0
Helpful
2
Replies
CreatePlease to create content