Re: Cyrpto Connectivity...

kevin.atwood · ‎10-12-2005

Hello,

I've got a crypto map setup and working fine to a client. On our side, we've got a NAT pool of 1 address that is PAT'ed so all traffic to their subnet is PAT'ed accross this IP.

I'm trying to allow access from another client who is connected via a crpto map, to the other client's subnets through the PAT'ed IP...but I'm not seeing any translations when trying to ping from the second client.

Has anyone been able to connect the two clients through this type of config?

Thanks,

Kevin

Richard Burts · ‎10-12-2005

Kevin

Does the address translation (NAT/PAT) use an access list to identify what traffic to translate? If so does that access list include traffic sourced from the second client as being permitted?

It might be easier to help you find a solution if you would post the parts of the configuration that deal with the translation (and perhaps the parts that deal with the encryption).

HTH

Rick

HTH

Rick

kevin.atwood · ‎10-12-2005

crypto map Client 15 ipsec-isakmp

description Client 1

set peer ***.***.***.70

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set rtpset vpnset

match address 116

crypto map Client 19 ipsec-isakmp

description Client 2

set peer ***.***.***.51

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set vpnset

match address 120

ip nat pool nat-pool 172.23.2.7 172.23.2.7 netmask 255.255.255.0

ip nat inside source list 185 pool nat-pool mapping-id 10 overload

ip access-list extended 120

permit ip host 172.23.103.6 192.168.12.0 0.0.0.255

access-list 116 permit ip host 172.23.2.7 host 172.23.103.6

access-list 185 permit ip any 172.23.0.0 0.0.255.255

kevin.atwood · ‎10-12-2005

Oops...for got a reply with the config post...

Yes...any destined for the subnet going throught he PAT'ed IP.

Thanks for the reply.

Kevin