I'm busy setting up a lan-to-lan connection between a 3005 and a Windows W2k3 server. I've followed the instructions in Cisco's "2000.pdf" and managed to get the connection up.
My problem now is that the clients behind the 3005 need to access a FTP server on the w2k3 box. The FTP server is listening on the same IP as where the lan-to-lan connection is terminated.
The following is working/not working:
- w2k3 box can initiate the lan-to-lan with a ping
- 3005 can initiate the lan-to-lan with a ping
- client behind 3005 cannot initiate the lan-to-lan
- client behind 3005 cannot ping or ftp the w2k3 box when tunnel is initiated
- when running a tracert from client to w2k3box the packets take the right route (i.e. via the 3005) so its no routing problem
Should this connection be in transport or in tunnel mode? Logically thinking in transport as the FTP server is on the endpoint, right? Will I still be able to use lan-to-lan NAT rules if running in transport mode?
Thank you very much for your help.
Transport mode IPSec is used only in cases where the tunnel end-points originate the traffic to be encrypted.
In your case, this holds good at Win2K side, but not at 3005 side as it is not the 3005, but clients behind 3005 who wants to connect to the FTP server.
Please try configuring tunnel mode.
Thanks for clearing that up for me.
I can get it to work with both transport and tunnel mode. The issue here is that the clients behind the 3005 cannot send traffic over the tunnel nor can they initiate the tunnel creation. Only the endpoints are able to do so (w2k3 and 3005). Packets are routed correctly to the 3005 but it seems that the 3005 doesn't "understand" that it should create the tunnel and send the packets on to the w2k3.
I set up a lan-to-lan nat rule on the 3005 aswell. I'm not sure if I should use a PAT or a static NAT. It doesn't work with PAT anyway.
It works now.
First of all in this kind of setup do not follow Cisco's "2000.pdf". Just create a default IPSec policy on the Windows machine with the right pre-shared key. No IP addresses need to be entered in this policy.
Then create a lan-to-lan on your 3005 in tunnel mode. Make sure routing is set up correct so clients behind the 3005 can reach the Windows machine. Also be sure to check the automatically created filter for the outgoing lan-to-lan connection. I had to change the source IP there to my private range instead of the public IP address of the public interface.
Thanks for all the help.